chore: track audit-runs summary artifacts (md/csv/diff/txt/json/etc)

Snapshot of every non-log artifact under audit-runs/ from audits 003 through 058: findings.md per audit, comparison CSVs, probe diffs, schema docs, register-dump txts, lr-trace JSONL streams, the saved canary patch diffs, etc. ~284 files / ~52 MB total. Excluded (per .gitignore): probe stdout/stderr/log streams (the raw firehose), guest-memory dumps under audit-026/027/029 (4.5 GB of .bin files; *.bin pattern added to .gitignore this commit). Also adds the orphan audit-058-sub825070F0-activation directory that a subagent accidentally created at project-root instead of under xenia-rs/audit-runs/; relocated to its proper home. Purpose: cross-machine continuity. With these summaries committed, a fresh clone gives the next session the full per-audit context (findings + tables + cascade predictions) without dependence on local-only working tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 21:36:41 +02:00
parent 609f586ed8
commit 8e709b0a24
284 changed files with 677656 additions and 0 deletions
--- a/audit-runs/audit-026-mem-diff/anchors.txt
+++ b/audit-runs/audit-026-mem-diff/anchors.txt
@@ -0,0 +1,198 @@
+=== 0x828f4070 0x15e4 worker singleton ===
+  0x828f4070 canary=0x00000000  ours=0x01000000  DIFF
+  0x828f4074 canary=0x00000000  ours=0x00000000    
+  0x828f4078 canary=0x00000000  ours=0x00000000    
+  0x828f407c canary=0x00000000  ours=0x00000000    
+  0x828f4080 canary=0x00000000  ours=0xffffffff  DIFF
+  0x828f4084 canary=0x00000000  ours=0x00000000    
+  0x828f4088 canary=0x00000000  ours=0x00000000    
+  0x828f408c canary=0x00000000  ours=0x000015ec  DIFF
+  0x828f4090 canary=0x00000000  ours=0x000015e4  DIFF
+  0x828f4094 canary=0x00000000  ours=0x00000000    
+  0x828f4098 canary=0x00000000  ours=0x00000000    
+  0x828f409c canary=0x00000000  ours=0x00000000    
+  0x828f40a0 canary=0x00000000  ours=0x00000000    
+  0x828f40a4 canary=0x00000000  ours=0x00000000    
+  0x828f40a8 canary=0x00000000  ours=0x00000000    
+  0x828f40ac canary=0x00000000  ours=0x00000008  DIFF
+  0x828f40b0 canary=0x00000000  ours=0xffffffff  DIFF
+  0x828f40b4 canary=0x00000000  ours=0x00000000    
+  0x828f40b8 canary=0x00000000  ours=0x00000000    
+  0x828f40bc canary=0x00000000  ours=0x00000000    
+  0x828f40c0 canary=0x00000000  ours=0x00000000    
+  0x828f40c4 canary=0x00000000  ours=0x00000000    
+  0x828f40c8 canary=0x00000000  ours=0x00000000    
+  0x828f40cc canary=0x00000000  ours=0x00000000    
+  0x828f40d0 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f40d4 canary=0x00000000  ours=0x00000000    
+  0x828f40d8 canary=0x00000000  ours=0x00000000    
+  0x828f40dc canary=0x00000000  ours=0x00000000    
+  0x828f40e0 canary=0x00000000  ours=0x00000000    
+  0x828f40e4 canary=0x00000000  ours=0x00000000    
+  0x828f40e8 canary=0x00000000  ours=0x00000000    
+  0x828f40ec canary=0x00000000  ours=0xffff0000  DIFF
+
+=== 0x828f4838 audit-023 listener struct ===
+  0x828f4838 canary=0x01010000  ours=0x01000000  DIFF
+  0x828f483c canary=0x00000000  ours=0x00000000    
+  0x828f4840 canary=0x58454e00  ours=0x00000000  DIFF
+  0x828f4844 canary=0xf8000034  ours=0x00000000  DIFF
+  0x828f4848 canary=0xffffffff  ours=0xffffffff    
+  0x828f484c canary=0x00000000  ours=0x00000000    
+  0x828f4850 canary=0x00000000  ours=0x00000000    
+  0x828f4854 canary=0x00000000  ours=0x00000000    
+  0x828f4858 canary=0xbc365740  ours=0x4024a2e0  DIFF
+  0x828f485c canary=0x00000008  ours=0x00000008    
+  0x828f4860 canary=0x00000000  ours=0x00000000    
+  0x828f4864 canary=0x00000000  ours=0x00000000    
+  0x828f4868 canary=0x00000000  ours=0x00000000    
+  0x828f486c canary=0xbc365180  ours=0x4024a1a0  DIFF
+  0x828f4870 canary=0x00000013  ours=0x0000000f  DIFF
+  0x828f4874 canary=0x00000000  ours=0x00000000    
+  0x828f4878 canary=0xbc3651e0  ours=0x4024a200  DIFF
+  0x828f487c canary=0x00000001  ours=0x00000000  DIFF
+  0x828f4880 canary=0x00000000  ours=0x00000000    
+  0x828f4884 canary=0xbc65c980  ours=0x40542240  DIFF
+  0x828f4888 canary=0x00000010  ours=0x00000010    
+  0x828f488c canary=0x00000000  ours=0x00000000    
+  0x828f4890 canary=0x00000013  ours=0x0000000f  DIFF
+  0x828f4894 canary=0x00000004  ours=0x0000000f  DIFF
+  0x828f4898 canary=0x00000000  ours=0x00000000    
+  0x828f489c canary=0xf800002c  ours=0x00001030  DIFF
+  0x828f48a0 canary=0xf8000028  ours=0x00001028  DIFF
+  0x828f48a4 canary=0x00000001  ours=0x00000001    
+  0x828f48a8 canary=0x00000000  ours=0x00000000    
+  0x828f48ac canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48b0 canary=0x00000000  ours=0x828f4070  DIFF
+  0x828f48b4 canary=0x00000001  ours=0x00000001    
+
+=== 0x828f3d08 0x100c dispatcher ===
+  0x828f3d08 canary=0xffffffff  ours=0xffffffff    
+  0x828f3d0c canary=0x00000000  ours=0x00000000    
+  0x828f3d10 canary=0x00000000  ours=0x00000000    
+  0x828f3d14 canary=0x00000000  ours=0x00000000    
+  0x828f3d18 canary=0x00000000  ours=0x00000000    
+  0x828f3d1c canary=0x00000000  ours=0x00000000    
+  0x828f3d20 canary=0x00000000  ours=0x00000000    
+  0x828f3d24 canary=0x00000000  ours=0x00000000    
+  0x828f3d28 canary=0x00000000  ours=0x00000000    
+  0x828f3d2c canary=0x00000000  ours=0x00000000    
+  0x828f3d30 canary=0x00000007  ours=0x00000007    
+  0x828f3d34 canary=0x01010000  ours=0x01000000  DIFF
+  0x828f3d38 canary=0x00000000  ours=0x00000000    
+  0x828f3d3c canary=0x00000000  ours=0x00000000    
+  0x828f3d40 canary=0x00000000  ours=0x00000000    
+  0x828f3d44 canary=0xffffffff  ours=0xffffffff    
+
+=== 0x828f3ec0 0x1004 dispatcher ===
+  0x828f3ec0 canary=0x01010000  ours=0x01000000  DIFF
+  0x828f3ec4 canary=0x00000000  ours=0x00000000    
+  0x828f3ec8 canary=0x00000000  ours=0x00000000    
+  0x828f3ecc canary=0x00000000  ours=0x00000000    
+  0x828f3ed0 canary=0x00000000  ours=0xffffffff  DIFF
+  0x828f3ed4 canary=0x00000001  ours=0x00000000  DIFF
+  0x828f3ed8 canary=0x30025018  ours=0x00000000  DIFF
+  0x828f3edc canary=0x00000000  ours=0x00000000    
+  0x828f3ee0 canary=0xbc65cc00  ours=0x40541bc0  DIFF
+  0x828f3ee4 canary=0x00000000  ours=0x00000000    
+  0x828f3ee8 canary=0x00000000  ours=0x00000000    
+  0x828f3eec canary=0x00000000  ours=0x00000000    
+  0x828f3ef0 canary=0x00000014  ours=0x00000014    
+  0x828f3ef4 canary=0x0000002f  ours=0x0000002f    
+  0x828f3ef8 canary=0xbd610f60  ours=0x414f5f60  DIFF
+  0x828f3efc canary=0xbc32cca0  ours=0x40211ca0  DIFF
+
+=== 0x828f48b0 audit-024A singleton-pool start ===
+  0x828f48b0 canary=0x00000000  ours=0x828f4070  DIFF
+  0x828f48b4 canary=0x00000001  ours=0x00000001    
+  0x828f48b8 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48bc canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48c0 canary=0x00000001  ours=0x00000001    
+  0x828f48c4 canary=0x00000000  ours=0x828f3850  DIFF
+  0x828f48c8 canary=0x00000001  ours=0x00000001    
+  0x828f48cc canary=0x00000000  ours=0x00000000    
+  0x828f48d0 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48d4 canary=0x828f3ec0  ours=0x828f3ec0    
+  0x828f48d8 canary=0x00000001  ours=0x00000001    
+  0x828f48dc canary=0x00000001  ours=0x00000001    
+  0x828f48e0 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48e4 canary=0x00000000  ours=0x01000000  DIFF
+  0x828f48e8 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48ec canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48f0 canary=0x00000000  ours=0x828f3e08  DIFF
+  0x828f48f4 canary=0x00000000  ours=0x00000001  DIFF
+  0x828f48f8 canary=0x00000000  ours=0x00000000    
+  0x828f48fc canary=0x00000000  ours=0x00000000    
+  0x828f4900 canary=0x00000000  ours=0x00000000    
+  0x828f4904 canary=0x00000000  ours=0x00000000    
+  0x828f4908 canary=0x00000000  ours=0x00000000    
+  0x828f490c canary=0x00000000  ours=0x00000000    
+
+=== 0x828a3230 audio buffer-completion semaphore ===
+  0x828a3230 canary=0x05000000  ours=0x05000500  DIFF
+  0x828a3234 canary=0x00000000  ours=0x00000000    
+  0x828a3238 canary=0x58454e00  ours=0x58454e00    
+  0x828a323c canary=0xf8000070  ours=0x828a3230  DIFF
+  0x828a3240 canary=0x00000006  ours=0x00000006    
+  0x828a3244 canary=0x01000000  ours=0x01000000    
+  0x828a3248 canary=0x00000000  ours=0x00000000    
+  0x828a324c canary=0x58454e00  ours=0x828a324c  DIFF
+  0x828a3250 canary=0xf8000080  ours=0x828a324c  DIFF
+  0x828a3254 canary=0x01000000  ours=0x01000000    
+  0x828a3258 canary=0x00000000  ours=0x00000000    
+  0x828a325c canary=0x58454e00  ours=0x58454e00    
+  0x828a3260 canary=0xf800007c  ours=0x828a3254  DIFF
+  0x828a3264 canary=0xbe628edc  ours=0x4250dedc  DIFF
+  0x828a3268 canary=0x1fca7000  ours=0x00000000  DIFF
+  0x828a326c canary=0x00000000  ours=0x00000000    
+
+=== 0x828a3254 audit-025 audio wait target ===
+  0x828a3254 canary=0x01000000  ours=0x01000000    
+  0x828a3258 canary=0x00000000  ours=0x00000000    
+  0x828a325c canary=0x58454e00  ours=0x58454e00    
+  0x828a3260 canary=0xf800007c  ours=0x828a3254  DIFF
+  0x828a3264 canary=0xbe628edc  ours=0x4250dedc  DIFF
+  0x828a3268 canary=0x1fca7000  ours=0x00000000  DIFF
+  0x828a326c canary=0x00000000  ours=0x00000000    
+  0x828a3270 canary=0x00000000  ours=0x00000000    
+  0x828a3274 canary=0x00000000  ours=0x00000000    
+  0x828a3278 canary=0x00000000  ours=0x00000000    
+  0x828a327c canary=0x00000000  ours=0x00000000    
+  0x828a3280 canary=0x00000000  ours=0x00000000    
+
+=== 0x82006cf4 audit-025 audio_system vtable ===
+  0x82006cf4 canary=0x824d2bd8  ours=0x824d2bd8    
+  0x82006cf8 canary=0x824d4100  ours=0x824d4100    
+  0x82006cfc canary=0x824d4118  ours=0x824d4118    
+  0x82006d00 canary=0x824d14c0  ours=0x824d14c0    
+  0x82006d04 canary=0x827f2590  ours=0x827f2590    
+  0x82006d08 canary=0x824d4698  ours=0x824d4698    
+  0x82006d0c canary=0x824d4100  ours=0x824d4100    
+  0x82006d10 canary=0x824d4118  ours=0x824d4118    
+
+=== 0x828a6900 0x828a0000 page diff cluster ===
+  0x828a6900 canary=0x00000000  ours=0x00000000    
+  0x828a6904 canary=0xb4490000  ours=0x4b90c000  DIFF
+  0x828a6908 canary=0x00000000  ours=0x00000001  DIFF
+  0x828a690c canary=0x00000000  ours=0x00000000    
+  0x828a6910 canary=0x00000000  ours=0x00000000    
+  0x828a6914 canary=0x00000000  ours=0x00000000    
+  0x828a6918 canary=0x00000000  ours=0x00000000    
+  0x828a691c canary=0x00000000  ours=0x00000000    
+  0x828a6920 canary=0x00000000  ours=0x00000000    
+  0x828a6924 canary=0x00000000  ours=0x00000000    
+  0x828a6928 canary=0x00000000  ours=0x00000000    
+  0x828a692c canary=0x00000000  ours=0x00000000    
+  0x828a6930 canary=0x00000000  ours=0x00000003  DIFF
+  0x828a6934 canary=0x00000000  ours=0x00000001  DIFF
+  0x828a6938 canary=0x00000000  ours=0x00000001  DIFF
+  0x828a693c canary=0x00000000  ours=0x4c945820  DIFF
+  0x828a6940 canary=0x00000000  ours=0x00000166  DIFF
+  0x828a6944 canary=0x00000000  ours=0x4c9484e0  DIFF
+  0x828a6948 canary=0x00000000  ours=0x00005286  DIFF
+  0x828a694c canary=0x00000000  ours=0x4c94d800  DIFF
+  0x828a6950 canary=0x00000000  ours=0x00882000  DIFF
+  0x828a6954 canary=0x00000000  ours=0x40d09bc0  DIFF
+  0x828a6958 canary=0x00000000  ours=0x40d09d40  DIFF
+  0x828a695c canary=0x00000000  ours=0x00000000    
+
--- a/audit-runs/audit-026-mem-diff/diff-b.txt
+++ b/audit-runs/audit-026-mem-diff/diff-b.txt
@@ -0,0 +1,13 @@
+# B-list: 12 entries — ours has 0x82xxxxxx PC, canary differs
+addr=0x82000870  canary=0x30006000  ours=0x82000000
+addr=0x82870948  canary=0xf800001c  ours=0x8287093c
+addr=0x82870958  canary=0xf8000014  ours=0x8287094c
+addr=0x828a3228  canary=0x58454e00  ours=0x828a3228
+addr=0x828a322c  canary=0xf8000084  ours=0x828a3228
+addr=0x828a323c  canary=0xf8000070  ours=0x828a3230
+addr=0x828a324c  canary=0x58454e00  ours=0x828a324c
+addr=0x828a3250  canary=0xf8000080  ours=0x828a324c
+addr=0x828a3260  canary=0xf800007c  ours=0x828a3254
+addr=0x828f48b0  canary=0x00000000  ours=0x828f4070
+addr=0x828f48c4  canary=0x00000000  ours=0x828f3850
+addr=0x828f48f0  canary=0x00000000  ours=0x828f3e08
--- a/audit-runs/audit-026-mem-diff/diff.txt
+++ b/audit-runs/audit-026-mem-diff/diff.txt
@@ -0,0 +1 @@
+# A-list: 0 entries — canary has 0x82xxxxxx PC, ours differs
--- a/audit-runs/audit-026-mem-diff/diff_v80.py
+++ b/audit-runs/audit-026-mem-diff/diff_v80.py
@@ -0,0 +1,152 @@
+#!/usr/bin/env python3
+"""Comprehensive dword-level diff of canary's v80 vs ours.
+
+For every 4-byte BE-aligned dword in [0x80000000, 0x90000000):
+  - canary_dw = canary[i*4..i*4+4] interpreted as BE u32
+  - ours_dw   = ours  [i*4..i*4+4] interpreted as BE u32
+
+Records:
+  CASE A (primary): canary_dw in 0x82000000..0x82A00000 (game-code addr) AND ours_dw != canary_dw
+  CASE B (inverse): ours_dw in 0x82000000..0x82A00000 AND canary_dw != ours_dw
+
+Produces:
+  diff.txt    full sorted A-list
+  diff-b.txt  inverse B-list (smaller, often empty)
+  histogram.txt   bucket count by canary PC's 0x1000-aligned function
+  l1-hits.txt     specific renderer cluster L1 PC hits
+  tables.txt      runs of >=4 consecutive dwords with same divergence shape
+"""
+import struct
+import sys
+import os
+from collections import defaultdict
+
+V80_BASE = 0x80000000
+V80_LEN  = 0x10000000
+PC_LO    = 0x82000000
+PC_HI    = 0x82A00000
+
+L1_PCS = {
+    0x822919C8: "sub_822919C8",
+    0x82293448: "sub_82293448",
+    0x82288028: "sub_82288028",
+    0x82292D80: "sub_82292d80",
+    0x822851E0: "sub_822851e0",
+    0x82286BC8: "sub_82286bc8",
+    # also worth flagging from the AUDIT-025 audio path:
+    0x82006CF4: "audio_system_vtable_0x82006CF4",  # unlikely in v80 but worth logging
+    0x824D23B0: "sub_824D23B0_audio_KeSetEvent",
+}
+
+NAMED_ANCHORS = {
+    0x828F3D08: "0x100c dispatcher",
+    0x828F3EC0: "0x1004 dispatcher",
+    0x828F4070: "0x15e4 worker singleton",
+    0x828F4838: "audit-023 listener struct",
+    0x828A3230: "audio buffer-completion semaphore",
+    0x828A3254: "audit-025 audio wait target",
+    0x40BA9A80: "audit-016 listener struct (heap)",
+}
+
+def main():
+    here = os.path.dirname(os.path.abspath(__file__))
+    canary_path = os.path.join(here, "canary-v80.bin")
+    ours_path   = os.path.join(here, "ours-v80.bin")
+    canary = open(canary_path, "rb").read()
+    ours   = open(ours_path, "rb").read()
+    assert len(canary) == V80_LEN, len(canary)
+    assert len(ours)   == V80_LEN, len(ours)
+
+    a_list = []  # canary has PC, ours different
+    b_list = []  # ours has PC, canary different
+    for i in range(0, V80_LEN, 4):
+        cdw = struct.unpack_from(">I", canary, i)[0]
+        odw = struct.unpack_from(">I", ours,   i)[0]
+        if cdw == odw:
+            continue
+        addr = V80_BASE + i
+        if PC_LO <= cdw < PC_HI:
+            a_list.append((addr, cdw, odw))
+        if PC_LO <= odw < PC_HI:
+            b_list.append((addr, cdw, odw))
+
+    print(f"[i] case A divergences (canary has PC, ours differs): {len(a_list)}")
+    print(f"[i] case B divergences (ours has PC, canary differs): {len(b_list)}")
+
+    with open(os.path.join(here, "diff.txt"), "w") as f:
+        f.write(f"# A-list: {len(a_list)} entries — canary has 0x82xxxxxx PC, ours differs\n")
+        for addr, c, o in a_list:
+            f.write(f"addr={addr:#010x}  canary={c:#010x}  ours={o:#010x}\n")
+    with open(os.path.join(here, "diff-b.txt"), "w") as f:
+        f.write(f"# B-list: {len(b_list)} entries — ours has 0x82xxxxxx PC, canary differs\n")
+        for addr, c, o in b_list:
+            f.write(f"addr={addr:#010x}  canary={c:#010x}  ours={o:#010x}\n")
+
+    # Histogram by canary PC value (0x1000-aligned)
+    bucket = defaultdict(int)
+    for _addr, c, _o in a_list:
+        bucket[c & ~0xFFF] += 1
+    sorted_b = sorted(bucket.items(), key=lambda x: -x[1])
+    with open(os.path.join(here, "histogram.txt"), "w") as f:
+        f.write("# canary PC value bucket (0x1000-aligned) -> count of A-list entries\n")
+        for k, v in sorted_b:
+            f.write(f"{k:#010x}  {v}\n")
+    print(f"[i] top 10 PC buckets (canary value):")
+    for k, v in sorted_b[:10]:
+        print(f"    {k:#010x}  {v}")
+
+    # L1 PC explicit hits
+    l1_hits = []
+    for addr, c, o in a_list:
+        if c in L1_PCS:
+            l1_hits.append((addr, c, o, L1_PCS[c]))
+    with open(os.path.join(here, "l1-hits.txt"), "w") as f:
+        f.write(f"# Renderer cluster L1 PC hits in canary's v80 (count={len(l1_hits)})\n")
+        for addr, c, o, name in l1_hits:
+            f.write(f"addr={addr:#010x}  canary={c:#010x}  ours={o:#010x}  // {name}\n")
+    print(f"[i] L1 PC hits: {len(l1_hits)}")
+    for addr, c, o, name in l1_hits[:20]:
+        print(f"    addr={addr:#010x}  canary={c:#010x}  // {name}")
+
+    # Table detection: runs of 4+ consecutive 4-byte dwords where canary
+    # has any 0x82xxxxxx and ours has zero (or 0xFFFFFFFF sentinel).
+    addr_set_a = {a for a, _c, _o in a_list}
+    runs = []
+    i = 0
+    a_sorted = sorted(a_list, key=lambda x: x[0])
+    j = 0
+    while j < len(a_sorted):
+        start = j
+        while j + 1 < len(a_sorted) and a_sorted[j+1][0] == a_sorted[j][0] + 4:
+            j += 1
+        if j - start + 1 >= 4:
+            entries = a_sorted[start:j+1]
+            zero_count = sum(1 for _a, _c, o in entries if o == 0)
+            runs.append((entries[0][0], len(entries), zero_count, entries))
+        j += 1
+    runs.sort(key=lambda r: -r[1])
+    with open(os.path.join(here, "tables.txt"), "w") as f:
+        f.write(f"# Consecutive A-list runs (>=4 dwords): {len(runs)} runs\n\n")
+        for base, length, zeros, entries in runs[:80]:
+            f.write(f"=== run base={base:#010x} length={length} zeros_in_ours={zeros} ===\n")
+            for addr, c, o in entries[:32]:
+                f.write(f"  +{addr-base:#06x}: canary={c:#010x}  ours={o:#010x}\n")
+            if length > 32:
+                f.write(f"  ... and {length-32} more\n")
+            f.write("\n")
+    print(f"[i] table-shaped runs (>=4 consecutive A-list dwords): {len(runs)}")
+    for base, length, zeros, _ in runs[:8]:
+        print(f"    base={base:#010x}  length={length}  zeros={zeros}")
+
+    # Anchor-address neighborhood reports
+    with open(os.path.join(here, "anchors.txt"), "w") as f:
+        f.write("# Diff entries within ±0x100 of named anchor addresses\n\n")
+        for anchor, name in NAMED_ANCHORS.items():
+            f.write(f"=== {anchor:#010x} ({name}) ===\n")
+            for addr, c, o in a_list:
+                if abs(addr - anchor) <= 0x100:
+                    f.write(f"  addr={addr:#010x}  canary={c:#010x}  ours={o:#010x}\n")
+            f.write("\n")
+
+if __name__ == "__main__":
+    main()
--- a/audit-runs/audit-026-mem-diff/extract_v80.py
+++ b/audit-runs/audit-026-mem-diff/extract_v80.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+"""Extract canary's v80000000 256MB span as a flat binary mirroring our format.
+
+Reads the canary Memory::Save dump at audit-runs/audit-024a-canary-diff/canary-memory.dump,
+walks heaps in order (v00 v40 v80 v90 physical), and for v80 writes each committed
+65536-byte page to its file offset (page_idx * 65536). Uncommitted pages stay zero.
+"""
+import struct
+import sys
+import os
+
+HEAPS = [
+    ("v00000000", 0x00000000, 0x40000000, 4096),
+    ("v40000000", 0x40000000, 0x3F000000, 65536),
+    ("v80000000", 0x80000000, 0x10000000, 65536),
+    ("v90000000", 0x90000000, 0x10000000, 4096),
+    ("physical",  0x00000000, 0x20000000, 4096),
+]
+K_COMMIT = 0x2
+
+def main():
+    src = sys.argv[1] if len(sys.argv) > 1 else \
+        "/home/fabi/RE Project Sylpheed/xenia-rs/audit-runs/audit-024a-canary-diff/canary-memory.dump"
+    out = sys.argv[2] if len(sys.argv) > 2 else \
+        os.path.join(os.path.dirname(__file__), "canary-v80.bin")
+    with open(src, "rb") as f:
+        data = f.read()
+    print(f"[i] dump size: {len(data)} bytes ({len(data)/1024/1024:.1f} MiB)")
+    cursor = 0
+    out_buf = None
+    for name, base, size, page_size in HEAPS:
+        page_count = size // page_size
+        committed = 0
+        if name == "v80000000":
+            out_buf = bytearray(size)
+        for i in range(page_count):
+            qword = struct.unpack_from("<Q", data, cursor)[0]
+            cursor += 8
+            state = (qword >> 60) & 0x3
+            if state != 0 and (state & K_COMMIT):
+                if name == "v80000000":
+                    out_buf[i*page_size:(i+1)*page_size] = data[cursor:cursor+page_size]
+                cursor += page_size
+                committed += 1
+        print(f"[i] {name}: pages={page_count} committed={committed}")
+    print(f"[i] total parsed: {cursor:#x} (file size: {len(data):#x})")
+    with open(out, "wb") as f:
+        f.write(out_buf)
+    print(f"[i] wrote {len(out_buf)} bytes to {out}")
+
+if __name__ == "__main__":
+    main()
--- a/audit-runs/audit-026-mem-diff/histogram.txt
+++ b/audit-runs/audit-026-mem-diff/histogram.txt
@@ -0,0 +1 @@
+# canary PC value bucket (0x1000-aligned) -> count of A-list entries
--- a/audit-runs/audit-026-mem-diff/l1-hits.txt
+++ b/audit-runs/audit-026-mem-diff/l1-hits.txt
@@ -0,0 +1 @@
+# Renderer cluster L1 PC hits in canary's v80 (count=0)
--- a/audit-runs/audit-026-mem-diff/page_diffs.py
+++ b/audit-runs/audit-026-mem-diff/page_diffs.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+"""Identify the 7 differing 64KB pages and dump per-page summaries."""
+import struct
+import os
+
+here = os.path.dirname(os.path.abspath(__file__))
+canary = open(os.path.join(here, "canary-v80.bin"), "rb").read()
+ours   = open(os.path.join(here, "ours-v80.bin"), "rb").read()
+
+PG = 65536
+PC_LO, PC_HI = 0x82000000, 0x82A00000
+V80 = 0x80000000
+
+print("=== differing 64KB pages ===\n")
+for i in range(0, len(canary), PG):
+    if not any(canary[i:i+PG]) and not any(ours[i:i+PG]):
+        continue
+    if canary[i:i+PG] == ours[i:i+PG]:
+        continue
+    page_addr = V80 + i
+    # count differing dwords
+    diffs = 0
+    pc_diffs_canary = 0
+    pc_diffs_ours = 0
+    for j in range(0, PG, 4):
+        cdw = struct.unpack_from(">I", canary, i+j)[0]
+        odw = struct.unpack_from(">I", ours, i+j)[0]
+        if cdw != odw:
+            diffs += 1
+            if PC_LO <= cdw < PC_HI:
+                pc_diffs_canary += 1
+            if PC_LO <= odw < PC_HI:
+                pc_diffs_ours += 1
+    cnz = sum(1 for b in canary[i:i+PG] if b != 0)
+    onz = sum(1 for b in ours[i:i+PG] if b != 0)
+    print(f"page {page_addr:#010x}: {diffs} diff dwords, canary_nz={cnz}, ours_nz={onz}, "
+          f"PCs_in_diffs(canary={pc_diffs_canary}, ours={pc_diffs_ours})")
+
+print("\n=== detailed dump: first 64 differing dwords per page ===")
+for i in range(0, len(canary), PG):
+    if canary[i:i+PG] == ours[i:i+PG]:
+        continue
+    if not any(canary[i:i+PG]) and not any(ours[i:i+PG]):
+        continue
+    page_addr = V80 + i
+    print(f"\n--- page {page_addr:#010x} ---")
+    shown = 0
+    for j in range(0, PG, 4):
+        cdw = struct.unpack_from(">I", canary, i+j)[0]
+        odw = struct.unpack_from(">I", ours, i+j)[0]
+        if cdw != odw:
+            addr = V80 + i + j
+            shown += 1
+            print(f"  +{j:#06x}={addr:#010x}: canary={cdw:#010x}  ours={odw:#010x}")
+            if shown >= 64:
+                # report total remaining
+                remaining = sum(1 for k in range(j+4, PG, 4)
+                                if struct.unpack_from(">I", canary, i+k)[0] !=
+                                   struct.unpack_from(">I", ours, i+k)[0])
+                print(f"  ... and {remaining} more on this page")
+                break
--- a/audit-runs/audit-026-mem-diff/page_diffs.txt
+++ b/audit-runs/audit-026-mem-diff/page_diffs.txt
@@ -0,0 +1,298 @@
+=== differing 64KB pages ===
+
+page 0x82000000: 204 diff dwords, canary_nz=44251, ours_nz=43466, PCs_in_diffs(canary=0, ours=1)
+page 0x82840000: 776 diff dwords, canary_nz=57722, ours_nz=59216, PCs_in_diffs(canary=0, ours=0)
+page 0x82870000: 8 diff dwords, canary_nz=47494, ours_nz=47496, PCs_in_diffs(canary=0, ours=2)
+page 0x82880000: 2 diff dwords, canary_nz=23157, ours_nz=23157, PCs_in_diffs(canary=0, ours=0)
+page 0x828a0000: 37 diff dwords, canary_nz=9238, ours_nz=9260, PCs_in_diffs(canary=0, ours=6)
+page 0x828e0000: 1931 diff dwords, canary_nz=10158, ours_nz=10165, PCs_in_diffs(canary=0, ours=0)
+page 0x828f0000: 1095 diff dwords, canary_nz=18043, ours_nz=19408, PCs_in_diffs(canary=0, ours=3)
+
+=== detailed dump: first 64 differing dwords per page ===
+
+--- page 0x82000000 ---
+  +0x0600=0x82000600: canary=0xdeadc0de  ours=0x00000000
+  +0x0604=0x82000604: canary=0xdeadc0de  ours=0x00000000
+  +0x0608=0x82000608: canary=0xdeadc0de  ours=0x00000000
+  +0x060c=0x8200060c: canary=0xdeadc0de  ours=0x00000000
+  +0x0610=0x82000610: canary=0xdeadc0de  ours=0x00000000
+  +0x0614=0x82000614: canary=0xdeadc0de  ours=0x00000000
+  +0x0618=0x82000618: canary=0xdeadc0de  ours=0x00000000
+  +0x061c=0x8200061c: canary=0xdeadc0de  ours=0x00000000
+  +0x0620=0x82000620: canary=0xdeadc0de  ours=0x00000000
+  +0x0624=0x82000624: canary=0xdeadc0de  ours=0x00000000
+  +0x0628=0x82000628: canary=0xdeadc0de  ours=0x00000000
+  +0x062c=0x8200062c: canary=0xdeadc0de  ours=0x00000000
+  +0x0630=0x82000630: canary=0xdeadc0de  ours=0x00000000
+  +0x0634=0x82000634: canary=0xdeadc0de  ours=0x00000000
+  +0x0638=0x82000638: canary=0xdeadc0de  ours=0x00000000
+  +0x063c=0x8200063c: canary=0xdeadc0de  ours=0x00000000
+  +0x0640=0x82000640: canary=0xdeadc0de  ours=0x00000000
+  +0x0644=0x82000644: canary=0xdeadc0de  ours=0x00000000
+  +0x0648=0x82000648: canary=0xdeadc0de  ours=0x00000000
+  +0x064c=0x8200064c: canary=0xdeadc0de  ours=0x00000000
+  +0x0650=0x82000650: canary=0xdeadc0de  ours=0x00000000
+  +0x0654=0x82000654: canary=0xdeadc0de  ours=0x00000000
+  +0x0658=0x82000658: canary=0xdeadc0de  ours=0x00000000
+  +0x065c=0x8200065c: canary=0xdeadc0de  ours=0x00000000
+  +0x0660=0x82000660: canary=0xdeadc0de  ours=0x00000000
+  +0x0664=0x82000664: canary=0xdeadc0de  ours=0x00000000
+  +0x0668=0x82000668: canary=0xdeadc0de  ours=0x00000000
+  +0x066c=0x8200066c: canary=0xdeadc0de  ours=0x00000000
+  +0x0670=0x82000670: canary=0xdeadc0de  ours=0x00000000
+  +0x0674=0x82000674: canary=0xdeadc0de  ours=0x00000000
+  +0x0678=0x82000678: canary=0xdeadc0de  ours=0x00000000
+  +0x067c=0x8200067c: canary=0xdeadc0de  ours=0x00000000
+  +0x0680=0x82000680: canary=0xdeadc0de  ours=0x00000000
+  +0x0684=0x82000684: canary=0xdeadc0de  ours=0x00000000
+  +0x0688=0x82000688: canary=0xdeadc0de  ours=0x00000000
+  +0x068c=0x8200068c: canary=0xdeadc0de  ours=0x00000000
+  +0x0690=0x82000690: canary=0xdeadc0de  ours=0x00000000
+  +0x0694=0x82000694: canary=0xdeadc0de  ours=0x00000000
+  +0x0698=0x82000698: canary=0xdeadc0de  ours=0x00000000
+  +0x069c=0x8200069c: canary=0xdeadc0de  ours=0x00000000
+  +0x06a0=0x820006a0: canary=0xdeadc0de  ours=0x00000000
+  +0x06a4=0x820006a4: canary=0xdeadc0de  ours=0x00000000
+  +0x06a8=0x820006a8: canary=0xdeadc0de  ours=0x00000000
+  +0x06ac=0x820006ac: canary=0xdeadc0de  ours=0x00000000
+  +0x06b0=0x820006b0: canary=0xdeadc0de  ours=0x00000000
+  +0x06b4=0x820006b4: canary=0xdeadc0de  ours=0x00000000
+  +0x06b8=0x820006b8: canary=0xdeadc0de  ours=0x00000000
+  +0x06bc=0x820006bc: canary=0xdeadc0de  ours=0x00000000
+  +0x06c0=0x820006c0: canary=0xdeadc0de  ours=0x00000000
+  +0x06c4=0x820006c4: canary=0xdeadc0de  ours=0x00000000
+  +0x06c8=0x820006c8: canary=0xdeadc0de  ours=0x00000000
+  +0x06cc=0x820006cc: canary=0xdeadc0de  ours=0x00000000
+  +0x06d4=0x820006d4: canary=0xdeadc0de  ours=0x00000000
+  +0x06d8=0x820006d8: canary=0xdeadc0de  ours=0x00000000
+  +0x06dc=0x820006dc: canary=0xdeadc0de  ours=0x00000000
+  +0x06e0=0x820006e0: canary=0xdeadc0de  ours=0x00000000
+  +0x06e4=0x820006e4: canary=0xdeadc0de  ours=0x00000000
+  +0x06e8=0x820006e8: canary=0xdeadc0de  ours=0x00000000
+  +0x06ec=0x820006ec: canary=0xdeadc0de  ours=0x00000000
+  +0x06f0=0x820006f0: canary=0xdeadc0de  ours=0x00000000
+  +0x06f4=0x820006f4: canary=0xdeadc0de  ours=0x00000000
+  +0x06f8=0x820006f8: canary=0x30003000  ours=0x40000000
+  +0x06fc=0x820006fc: canary=0xdeadc0de  ours=0x00000000
+  +0x0700=0x82000700: canary=0x30009000  ours=0x00020000
+  ... and 140 more on this page
+
+--- page 0x82840000 ---
+  +0xda7c=0x8284da7c: canary=0x44000042  ours=0x0100028c
+  +0xda80=0x8284da80: canary=0x4e800020  ours=0x0200028c
+  +0xda84=0x8284da84: canary=0x60000000  ours=0x7d6903a6
+  +0xda88=0x8284da88: canary=0x60000000  ours=0x4e800420
+  +0xda8c=0x8284da8c: canary=0x44000042  ours=0x010002bc
+  +0xda90=0x8284da90: canary=0x4e800020  ours=0x020002bc
+  +0xda94=0x8284da94: canary=0x60000000  ours=0x7d6903a6
+  +0xda98=0x8284da98: canary=0x60000000  ours=0x4e800420
+  +0xda9c=0x8284da9c: canary=0x44000042  ours=0x010002c1
+  +0xdaa0=0x8284daa0: canary=0x4e800020  ours=0x020002c1
+  +0xdaa4=0x8284daa4: canary=0x60000000  ours=0x7d6903a6
+  +0xdaa8=0x8284daa8: canary=0x60000000  ours=0x4e800420
+  +0xdaac=0x8284daac: canary=0x44000042  ours=0x010002d5
+  +0xdab0=0x8284dab0: canary=0x4e800020  ours=0x020002d5
+  +0xdab4=0x8284dab4: canary=0x60000000  ours=0x7d6903a6
+  +0xdab8=0x8284dab8: canary=0x60000000  ours=0x4e800420
+  +0xdabc=0x8284dabc: canary=0x44000042  ours=0x010002cb
+  +0xdac0=0x8284dac0: canary=0x4e800020  ours=0x020002cb
+  +0xdac4=0x8284dac4: canary=0x60000000  ours=0x7d6903a6
+  +0xdac8=0x8284dac8: canary=0x60000000  ours=0x4e800420
+  +0xdacc=0x8284dacc: canary=0x44000042  ours=0x010002d9
+  +0xdad0=0x8284dad0: canary=0x4e800020  ours=0x020002d9
+  +0xdad4=0x8284dad4: canary=0x60000000  ours=0x7d6903a6
+  +0xdad8=0x8284dad8: canary=0x60000000  ours=0x4e800420
+  +0xdadc=0x8284dadc: canary=0x44000042  ours=0x010001b3
+  +0xdae0=0x8284dae0: canary=0x4e800020  ours=0x020001b3
+  +0xdae4=0x8284dae4: canary=0x60000000  ours=0x7d6903a6
+  +0xdae8=0x8284dae8: canary=0x60000000  ours=0x4e800420
+  +0xdaec=0x8284daec: canary=0x44000042  ours=0x010001b1
+  +0xdaf0=0x8284daf0: canary=0x4e800020  ours=0x020001b1
+  +0xdaf4=0x8284daf4: canary=0x60000000  ours=0x7d6903a6
+  +0xdaf8=0x8284daf8: canary=0x60000000  ours=0x4e800420
+  +0xdafc=0x8284dafc: canary=0x44000042  ours=0x010001af
+  +0xdb00=0x8284db00: canary=0x4e800020  ours=0x020001af
+  +0xdb04=0x8284db04: canary=0x60000000  ours=0x7d6903a6
+  +0xdb08=0x8284db08: canary=0x60000000  ours=0x4e800420
+  +0xdb0c=0x8284db0c: canary=0x44000042  ours=0x010001a4
+  +0xdb10=0x8284db10: canary=0x4e800020  ours=0x020001a4
+  +0xdb14=0x8284db14: canary=0x60000000  ours=0x7d6903a6
+  +0xdb18=0x8284db18: canary=0x60000000  ours=0x4e800420
+  +0xdb1c=0x8284db1c: canary=0x44000042  ours=0x010001f7
+  +0xdb20=0x8284db20: canary=0x4e800020  ours=0x020001f7
+  +0xdb24=0x8284db24: canary=0x60000000  ours=0x7d6903a6
+  +0xdb28=0x8284db28: canary=0x60000000  ours=0x4e800420
+  +0xdb2c=0x8284db2c: canary=0x44000042  ours=0x0100020e
+  +0xdb30=0x8284db30: canary=0x4e800020  ours=0x0200020e
+  +0xdb34=0x8284db34: canary=0x60000000  ours=0x7d6903a6
+  +0xdb38=0x8284db38: canary=0x60000000  ours=0x4e800420
+  +0xdb3c=0x8284db3c: canary=0x44000042  ours=0x01000210
+  +0xdb40=0x8284db40: canary=0x4e800020  ours=0x02000210
+  +0xdb44=0x8284db44: canary=0x60000000  ours=0x7d6903a6
+  +0xdb48=0x8284db48: canary=0x60000000  ours=0x4e800420
+  +0xdb4c=0x8284db4c: canary=0x44000042  ours=0x01000282
+  +0xdb50=0x8284db50: canary=0x4e800020  ours=0x02000282
+  +0xdb54=0x8284db54: canary=0x60000000  ours=0x7d6903a6
+  +0xdb58=0x8284db58: canary=0x60000000  ours=0x4e800420
+  +0xdb5c=0x8284db5c: canary=0x44000042  ours=0x010002f7
+  +0xdb60=0x8284db60: canary=0x4e800020  ours=0x020002f7
+  +0xdb64=0x8284db64: canary=0x60000000  ours=0x7d6903a6
+  +0xdb68=0x8284db68: canary=0x60000000  ours=0x4e800420
+  +0xdb6c=0x8284db6c: canary=0x44000042  ours=0x010002ee
+  +0xdb70=0x8284db70: canary=0x4e800020  ours=0x020002ee
+  +0xdb74=0x8284db74: canary=0x60000000  ours=0x7d6903a6
+  +0xdb78=0x8284db78: canary=0x60000000  ours=0x4e800420
+  ... and 712 more on this page
+
+--- page 0x82870000 ---
+  +0x0948=0x82870948: canary=0xf800001c  ours=0x8287093c
+  +0x0958=0x82870958: canary=0xf8000014  ours=0x8287094c
+  +0x2678=0x82872678: canary=0x00000000  ours=0xffffffff
+  +0x267c=0x8287267c: canary=0x00000001  ours=0x00000000
+  +0x2680=0x82872680: canary=0x30019018  ours=0x00000000
+  +0x2698=0x82872698: canary=0x00000000  ours=0xffffffff
+  +0x269c=0x8287269c: canary=0x00000001  ours=0x00000000
+  +0x26a0=0x828726a0: canary=0x30025018  ours=0x00000000
+
+--- page 0x82880000 ---
+  +0x3254=0x82883254: canary=0xfbcefd1f  ours=0x48bd64d9
+  +0x3258=0x82883258: canary=0x043102e0  ours=0xb7429b26
+
+--- page 0x828a0000 ---
+  +0x2904=0x828a2904: canary=0x00009301  ours=0x00000000
+  +0x2908=0x828a2908: canary=0x64e60700  ours=0x00000000
+  +0x291c=0x828a291c: canary=0x00000002  ours=0x00000000
+  +0x2920=0x828a2920: canary=0x02000005  ours=0x00000000
+  +0x2924=0x828a2924: canary=0x01010202  ours=0x00000000
+  +0x2b7c=0x828a2b7c: canary=0x535107d4  ours=0x00000000
+  +0x3228=0x828a3228: canary=0x58454e00  ours=0x828a3228
+  +0x322c=0x828a322c: canary=0xf8000084  ours=0x828a3228
+  +0x3230=0x828a3230: canary=0x05000000  ours=0x05000500
+  +0x323c=0x828a323c: canary=0xf8000070  ours=0x828a3230
+  +0x324c=0x828a324c: canary=0x58454e00  ours=0x828a324c
+  +0x3250=0x828a3250: canary=0xf8000080  ours=0x828a324c
+  +0x3260=0x828a3260: canary=0xf800007c  ours=0x828a3254
+  +0x3264=0x828a3264: canary=0xbe628edc  ours=0x4250dedc
+  +0x3268=0x828a3268: canary=0x1fca7000  ours=0x00000000
+  +0x5a40=0x828a5a40: canary=0xbc22c850  ours=0x40111850
+  +0x5a44=0x828a5a44: canary=0xbc65c900  ours=0x40541900
+  +0x5a48=0x828a5a48: canary=0xbc65c900  ours=0x40541900
+  +0x5a60=0x828a5a60: canary=0xbc65c900  ours=0x40541900
+  +0x6904=0x828a6904: canary=0xb4490000  ours=0x4b90c000
+  +0x6908=0x828a6908: canary=0x00000000  ours=0x00000001
+  +0x6930=0x828a6930: canary=0x00000000  ours=0x00000003
+  +0x6934=0x828a6934: canary=0x00000000  ours=0x00000001
+  +0x6938=0x828a6938: canary=0x00000000  ours=0x00000001
+  +0x693c=0x828a693c: canary=0x00000000  ours=0x4c945820
+  +0x6940=0x828a6940: canary=0x00000000  ours=0x00000166
+  +0x6944=0x828a6944: canary=0x00000000  ours=0x4c9484e0
+  +0x6948=0x828a6948: canary=0x00000000  ours=0x00005286
+  +0x694c=0x828a694c: canary=0x00000000  ours=0x4c94d800
+  +0x6950=0x828a6950: canary=0x00000000  ours=0x00882000
+  +0x6954=0x828a6954: canary=0x00000000  ours=0x40d09bc0
+  +0x6958=0x828a6958: canary=0x00000000  ours=0x40d09d40
+  +0x6ec4=0x828a6ec4: canary=0xb4491640  ours=0x4b90d640
+  +0x6ec8=0x828a6ec8: canary=0xb449ca04  ours=0x4b9eb210
+  +0x6ecc=0x828a6ecc: canary=0xb456eab0  ours=0x4b9eaab0
+  +0x8600=0x828a8600: canary=0xbcd24b00  ours=0x40c09a00
+  +0x865c=0x828a865c: canary=0xbc22c910  ours=0x40111890
+
+--- page 0x828e0000 ---
+  +0x1e80=0x828e1e80: canary=0x00000000  ours=0x40541e80
+  +0x1f08=0x828e1f08: canary=0xbc22c910  ours=0x40111890
+  +0x1fbc=0x828e1fbc: canary=0x00000001  ours=0x00000003
+  +0x2af8=0x828e2af8: canary=0x01010000  ours=0x01000000
+  +0x2b14=0x828e2b14: canary=0xbc220000  ours=0x40105000
+  +0x2b18=0x828e2b18: canary=0xbc1a0000  ours=0x43b78000
+  +0x2b1c=0x828e2b1c: canary=0xb50c0000  ours=0x43bf0000
+  +0x2b24=0x828e2b24: canary=0xbc32c880  ours=0x40211880
+  +0x2b28=0x828e2b28: canary=0x00000015  ours=0x00000022
+  +0x2d10=0x828e2d10: canary=0x01010000  ours=0x01000000
+  +0x319c=0x828e319c: canary=0xbc32cc40  ours=0x40211c40
+  +0x3290=0x828e3290: canary=0xbc32cd20  ours=0x40211d20
+  +0x32a8=0x828e32a8: canary=0xbc32cd80  ours=0x40211d80
+  +0x32c0=0x828e32c0: canary=0xbc32cde0  ours=0x40211de0
+  +0x32d8=0x828e32d8: canary=0xbc32ce40  ours=0x40211e40
+  +0x32f0=0x828e32f0: canary=0xbc32cea0  ours=0x40211ea0
+  +0x3308=0x828e3308: canary=0xbc32cf00  ours=0x40211f00
+  +0x3320=0x828e3320: canary=0xbc32cf60  ours=0x40211f60
+  +0x3338=0x828e3338: canary=0xbc32cfc0  ours=0x40211fc0
+  +0x3350=0x828e3350: canary=0xbc32d020  ours=0x40212020
+  +0x3368=0x828e3368: canary=0xbc32d080  ours=0x40212080
+  +0x3380=0x828e3380: canary=0xbc32d0e0  ours=0x402120e0
+  +0x3398=0x828e3398: canary=0xbc32d140  ours=0x40212140
+  +0x33b0=0x828e33b0: canary=0xbc32d1a0  ours=0x402121a0
+  +0x33c8=0x828e33c8: canary=0xbc32d200  ours=0x40212200
+  +0x33e0=0x828e33e0: canary=0xbc32d260  ours=0x40212260
+  +0x33f8=0x828e33f8: canary=0xbc32d2c0  ours=0x402122c0
+  +0x3410=0x828e3410: canary=0xbc32d320  ours=0x40212320
+  +0x3428=0x828e3428: canary=0xbc32d380  ours=0x40212380
+  +0x3440=0x828e3440: canary=0xbc32d3e0  ours=0x402123e0
+  +0x3458=0x828e3458: canary=0xbc32d440  ours=0x40212440
+  +0x3470=0x828e3470: canary=0xbc32d4a0  ours=0x402124a0
+  +0x3488=0x828e3488: canary=0xbc32d500  ours=0x40212500
+  +0x34a0=0x828e34a0: canary=0xbc32d560  ours=0x40212560
+  +0x34b8=0x828e34b8: canary=0xbc32d5c0  ours=0x402125c0
+  +0x34d0=0x828e34d0: canary=0xbc32d620  ours=0x40212620
+  +0x34e8=0x828e34e8: canary=0xbc32d680  ours=0x40212680
+  +0x3500=0x828e3500: canary=0xbc32d6e0  ours=0x402126e0
+  +0x3518=0x828e3518: canary=0xbc32d740  ours=0x40212740
+  +0x3530=0x828e3530: canary=0xbc32d7a0  ours=0x402127a0
+  +0x3548=0x828e3548: canary=0xbc32d800  ours=0x40212800
+  +0x3560=0x828e3560: canary=0xbc32d860  ours=0x40212860
+  +0x3578=0x828e3578: canary=0xbc32d8c0  ours=0x402128c0
+  +0x3590=0x828e3590: canary=0xbc32d920  ours=0x40212920
+  +0x35a8=0x828e35a8: canary=0xbc32d980  ours=0x40212980
+  +0x35c0=0x828e35c0: canary=0xbc32d9e0  ours=0x402129e0
+  +0x35d8=0x828e35d8: canary=0xbc32da40  ours=0x40212a40
+  +0x35f0=0x828e35f0: canary=0xbc32daa0  ours=0x40212aa0
+  +0x3608=0x828e3608: canary=0xbc32db00  ours=0x40212b00
+  +0x3620=0x828e3620: canary=0xbc32db60  ours=0x40212b60
+  +0x3638=0x828e3638: canary=0xbc32dbc0  ours=0x40212bc0
+  +0x37c0=0x828e37c0: canary=0xbc32dc20  ours=0x40212c20
+  +0x37d8=0x828e37d8: canary=0xbc32dc80  ours=0x40212c80
+  +0x37f0=0x828e37f0: canary=0xbc32dce0  ours=0x40212ce0
+  +0x3808=0x828e3808: canary=0xbc32dd40  ours=0x40212d40
+  +0x3820=0x828e3820: canary=0xbc32dda0  ours=0x40212da0
+  +0x3838=0x828e3838: canary=0xbc32de00  ours=0x40212e00
+  +0x3850=0x828e3850: canary=0xbc32de60  ours=0x40212e60
+  +0x3868=0x828e3868: canary=0xbc32dec0  ours=0x40212ec0
+  +0x3880=0x828e3880: canary=0xbc32df20  ours=0x40212f20
+  +0x3898=0x828e3898: canary=0xbc32df80  ours=0x40212f80
+  +0x38b0=0x828e38b0: canary=0xbc32dfe0  ours=0x40212fe0
+  +0x38c8=0x828e38c8: canary=0xbc32e040  ours=0x40213040
+  +0x38e0=0x828e38e0: canary=0xbc32e0a0  ours=0x402130a0
+  ... and 1867 more on this page
+
+--- page 0x828f0000 ---
+  +0x0020=0x828f0020: canary=0xbc359d60  ours=0x4023ed60
+  +0x0038=0x828f0038: canary=0xbc359dc0  ours=0x4023edc0
+  +0x0050=0x828f0050: canary=0xbc359e20  ours=0x4023ee20
+  +0x0068=0x828f0068: canary=0xbc359e80  ours=0x4023ee80
+  +0x0080=0x828f0080: canary=0xbc359ee0  ours=0x4023eee0
+  +0x0098=0x828f0098: canary=0xbc359f40  ours=0x4023ef40
+  +0x00b0=0x828f00b0: canary=0xbc359fa0  ours=0x4023efa0
+  +0x00c8=0x828f00c8: canary=0xbc35a000  ours=0x4023f000
+  +0x00e0=0x828f00e0: canary=0xbc35a060  ours=0x4023f060
+  +0x00f8=0x828f00f8: canary=0xbc35a0c0  ours=0x4023f0c0
+  +0x0110=0x828f0110: canary=0xbc35a120  ours=0x4023f120
+  +0x0128=0x828f0128: canary=0xbc35a180  ours=0x4023f180
+  +0x0140=0x828f0140: canary=0xbc35a1e0  ours=0x4023f1e0
+  +0x0158=0x828f0158: canary=0xbc35a240  ours=0x4023f240
+  +0x0170=0x828f0170: canary=0xbc35a2a0  ours=0x4023f2a0
+  +0x0188=0x828f0188: canary=0xbc35a300  ours=0x4023f300
+  +0x01a0=0x828f01a0: canary=0xbc35a360  ours=0x4023f360
+  +0x01b8=0x828f01b8: canary=0xbc35a3c0  ours=0x4023f3c0
+  +0x01d0=0x828f01d0: canary=0xbc35a420  ours=0x4023f420
+  +0x01e8=0x828f01e8: canary=0xbc35a480  ours=0x4023f480
+  +0x0200=0x828f0200: canary=0xbc35a4e0  ours=0x4023f4e0
+  +0x0218=0x828f0218: canary=0xbc35a540  ours=0x4023f540
+  +0x0230=0x828f0230: canary=0xbc35a5a0  ours=0x4023f5a0
+  +0x0248=0x828f0248: canary=0xbc35a600  ours=0x4023f600
+  +0x0260=0x828f0260: canary=0xbc35a660  ours=0x4023f660
+  +0x0278=0x828f0278: canary=0xbc35a6c0  ours=0x4023f6c0
+  +0x0290=0x828f0290: canary=0xbc35a720  ours=0x4023f720
+  +0x02a8=0x828f02a8: canary=0xbc35a780  ours=0x4023f780
+  +0x02c0=0x828f02c0: canary=0xbc35a7e0  ours=0x4023f7e0
+  +0x02d8=0x828f02d8: canary=0xbc35a840  ours=0x4023f840
+  +0x02f0=0x828f02f0: canary=0xbc35a8a0  ours=0x4023f8a0
--- a/audit-runs/audit-026-mem-diff/peek_anchors.py
+++ b/audit-runs/audit-026-mem-diff/peek_anchors.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+"""Side-by-side dword dump at named anchor addresses for both canary and ours."""
+import struct, os
+here = os.path.dirname(os.path.abspath(__file__))
+canary = open(os.path.join(here, "canary-v80.bin"), "rb").read()
+ours   = open(os.path.join(here, "ours-v80.bin"), "rb").read()
+V80 = 0x80000000
+
+def dump(addr, n=16, label=""):
+    off = addr - V80
+    print(f"=== {addr:#010x} {label} ===")
+    for j in range(n):
+        a = addr + j*4
+        c = struct.unpack_from(">I", canary, off + j*4)[0]
+        o = struct.unpack_from(">I", ours,   off + j*4)[0]
+        mark = "  " if c == o else "DIFF"
+        print(f"  {a:#010x} canary={c:#010x}  ours={o:#010x}  {mark}")
+    print()
+
+for a, n, lbl in [
+    (0x828F4070, 32, "0x15e4 worker singleton"),
+    (0x828F4838, 32, "audit-023 listener struct"),
+    (0x828F3D08, 16, "0x100c dispatcher"),
+    (0x828F3EC0, 16, "0x1004 dispatcher"),
+    (0x828F48B0, 24, "audit-024A singleton-pool start"),
+    (0x828A3230, 16, "audio buffer-completion semaphore"),
+    (0x828A3254, 12, "audit-025 audio wait target"),
+    (0x82006CF4, 8,  "audit-025 audio_system vtable"),
+    (0x828A6900, 24, "0x828a0000 page diff cluster"),
+]:
+    dump(a, n, lbl)
--- a/audit-runs/audit-026-mem-diff/sanity.py
+++ b/audit-runs/audit-026-mem-diff/sanity.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+"""Sanity-check the v80 captures: byte-counts, equal-dword counts, raw PC counts."""
+import struct
+import os
+
+here = os.path.dirname(os.path.abspath(__file__))
+canary = open(os.path.join(here, "canary-v80.bin"), "rb").read()
+ours = open(os.path.join(here, "ours-v80.bin"), "rb").read()
+print(f"canary len: {len(canary)}")
+print(f"ours len:   {len(ours)}")
+
+c_nonzero = sum(1 for b in canary if b != 0)
+o_nonzero = sum(1 for b in ours if b != 0)
+print(f"canary non-zero bytes: {c_nonzero} ({c_nonzero/len(canary)*100:.2f}%)")
+print(f"ours non-zero bytes:   {o_nonzero} ({o_nonzero/len(ours)*100:.2f}%)")
+
+# Sliding 64KB window: byte-equal pages
+PG = 65536
+c_pgs = sum(1 for i in range(0, len(canary), PG) if any(canary[i:i+PG]))
+o_pgs = sum(1 for i in range(0, len(ours), PG) if any(ours[i:i+PG]))
+print(f"canary 64K-pages with any non-zero: {c_pgs}")
+print(f"ours   64K-pages with any non-zero: {o_pgs}")
+
+# Compare per 64K page where canary has data:
+both, only_c, only_o, neither, equal = 0, 0, 0, 0, 0
+for i in range(0, len(canary), PG):
+    cnz = any(canary[i:i+PG])
+    onz = any(ours[i:i+PG])
+    if cnz and onz:
+        both += 1
+        if canary[i:i+PG] == ours[i:i+PG]:
+            equal += 1
+    elif cnz:
+        only_c += 1
+    elif onz:
+        only_o += 1
+    else:
+        neither += 1
+print(f"64K-page comparison: both_have_data={both}  byte_equal_among_those={equal}  canary_only={only_c}  ours_only={only_o}")
+
+# Count PC-range dwords on each side overall
+PC_LO, PC_HI = 0x82000000, 0x82A00000
+c_pc = sum(1 for i in range(0, len(canary), 4) if PC_LO <= struct.unpack_from(">I", canary, i)[0] < PC_HI)
+o_pc = sum(1 for i in range(0, len(ours), 4) if PC_LO <= struct.unpack_from(">I", ours, i)[0] < PC_HI)
+print(f"canary dwords in PC range: {c_pc}")
+print(f"ours   dwords in PC range: {o_pc}")
--- a/audit-runs/audit-026-mem-diff/tables.txt
+++ b/audit-runs/audit-026-mem-diff/tables.txt
@@ -0,0 +1,2 @@
+# Consecutive A-list runs (>=4 dwords): 0 runs
+
				`@@ -0,0 +1 @@`
				`# A-list: 0 entries — canary has 0x82xxxxxx PC, ours differs`
				`@@ -0,0 +1 @@`
				`# canary PC value bucket (0x1000-aligned) -> count of A-list entries`
				`@@ -0,0 +1 @@`
				`# Renderer cluster L1 PC hits in canary's v80 (count=0)`
				`@@ -0,0 +1,2 @@`
				`# Consecutive A-list runs (>=4 dwords): 0 runs`