chore: track audit-runs summary artifacts (md/csv/diff/txt/json/etc)

Snapshot of every non-log artifact under audit-runs/ from audits 003
through 058: findings.md per audit, comparison CSVs, probe diffs,
schema docs, register-dump txts, lr-trace JSONL streams, the saved
canary patch diffs, etc. ~284 files / ~52 MB total.

Excluded (per .gitignore): probe stdout/stderr/log streams (the raw
firehose), guest-memory dumps under audit-026/027/029 (4.5 GB of
.bin files; *.bin pattern added to .gitignore this commit).

Also adds the orphan audit-058-sub825070F0-activation directory that
a subagent accidentally created at project-root instead of
under xenia-rs/audit-runs/; relocated to its proper home.

Purpose: cross-machine continuity. With these summaries committed,
a fresh clone gives the next session the full per-audit context
(findings + tables + cascade predictions) without dependence on
local-only working tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

audit-runs/audit-029-physical-mem-diff/audit017-hits.txt

@@ -0,0 +1 @@
+# audit-017 chain PC hits (count=0)

audit-runs/audit-029-physical-mem-diff/cluster_l1_pcs.txt

@@ -0,0 +1,116 @@
+0x822851e0	sub_822851E0
+0x82285c78	sub_82285C78
+0x82285d58	sub_82285D58
+0x82285dd0	sub_82285DD0
+0x82285e30	sub_82285E30
+0x82285f80	sub_82285F80
+0x82286030	sub_82286030
+0x82286118	sub_82286118
+0x822861f0	sub_822861F0
+0x822862d0	sub_822862D0
+0x82286438	sub_82286438
+0x82286528	sub_82286528
+0x82286628	sub_82286628
+0x82286798	sub_82286798
+0x82286908	sub_82286908
+0x82286b40	sub_82286B40
+0x82286bc8	sub_82286BC8
+0x822873a8	sub_822873A8
+0x822878a8	sub_822878A8
+0x82287f08	sub_82287F08
+0x82288028	sub_82288028
+0x82288a18	sub_82288A18
+0x82288e70	sub_82288E70
+0x82289950	sub_82289950
+0x82289c68	sub_82289C68
+0x82289dd0	sub_82289DD0
+0x82289fd0	sub_82289FD0
+0x8228a140	sub_8228A140
+0x8228a150	sub_8228A150
+0x8228a220	sub_8228A220
+0x8228a260	sub_8228A260
+0x8228a268	sub_8228A268
+0x8228a318	sub_8228A318
+0x8228a478	sub_8228A478
+0x8228a548	sub_8228A548
+0x8228a5b8	sub_8228A5B8
+0x8228a628	sub_8228A628
+0x8228a650	sub_8228A650
+0x8228a700	sub_8228A700
+0x8228a7a8	sub_8228A7A8
+0x8228a810	sub_8228A810
+0x8228a890	sub_8228A890
+0x8228a920	sub_8228A920
+0x8228aa30	sub_8228AA30
+0x8228aac8	sub_8228AAC8
+0x8228aed0	sub_8228AED0
+0x8228b000	sub_8228B000
+0x8228b0a0	sub_8228B0A0
+0x8228b188	sub_8228B188
+0x8228b208	sub_8228B208
+0x8228b2d0	sub_8228B2D0
+0x8228b3b0	sub_8228B3B0
+0x8228b458	sub_8228B458
+0x8228b580	sub_8228B580
+0x8228b638	sub_8228B638
+0x8228b688	sub_8228B688
+0x8228b6e8	sub_8228B6E8
+0x8228bb00	sub_8228BB00
+0x8228bbc8	sub_8228BBC8
+0x8228bc48	sub_8228BC48
+0x8228bd18	sub_8228BD18
+0x8228bd90	sub_8228BD90
+0x8228be08	sub_8228BE08
+0x8228bf00	sub_8228BF00
+0x8228c0b8	sub_8228C0B8
+0x8228c150	sub_8228C150
+0x8228c3f0	sub_8228C3F0
+0x8228c4a0	sub_8228C4A0
+0x8228c678	sub_8228C678
+0x8228c7f0	sub_8228C7F0
+0x8228c9a8	sub_8228C9A8
+0x8228caf8	sub_8228CAF8
+0x8228cc18	sub_8228CC18
+0x8228cd10	sub_8228CD10
+0x8228ce50	sub_8228CE50
+0x8228cf50	sub_8228CF50
+0x8228d0d0	sub_8228D0D0
+0x8228d138	sub_8228D138
+0x8228d150	sub_8228D150
+0x8228d320	sub_8228D320
+0x8228d418	sub_8228D418
+0x8228d598	sub_8228D598
+0x8228d670	sub_8228D670
+0x8228d760	sub_8228D760
+0x8228daf8	sub_8228DAF8
+0x8228e030	sub_8228E030
+0x8228e0a0	sub_8228E0A0
+0x8228e138	sub_8228E138
+0x8228e208	sub_8228E208
+0x8228e498	sub_8228E498
+0x8228e4d0	sub_8228E4D0
+0x8228e538	sub_8228E538
+0x8228e5e8	sub_8228E5E8
+0x8228e688	sub_8228E688
+0x8228ef60	sub_8228EF60
+0x8228f6d0	sub_8228F6D0
+0x8228f7c0	sub_8228F7C0
+0x8228f808	sub_8228F808
+0x8228f858	sub_8228F858
+0x8228fbb8	sub_8228FBB8
+0x8228fbd0	sub_8228FBD0
+0x8228fd48	sub_8228FD48
+0x8228fdb8	sub_8228FDB8
+0x822900a8	sub_822900A8
+0x82290bc8	sub_82290BC8
+0x82290c70	sub_82290C70
+0x82290d00	sub_82290D00
+0x82291410	sub_82291410
+0x822917a0	sub_822917A0
+0x822919c8	sub_822919C8
+0x82292838	sub_82292838
+0x82292d80	sub_82292D80
+0x82293448	sub_82293448
+0x82293ec8	sub_82293EC8
+0x82293f30	sub_82293F30
+0x82293f80	sub_82293F80

audit-runs/audit-029-physical-mem-diff/diff_physical.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""One-sided PC enumeration for canary's physical heap.
+
+Our impl has NO separate physical-memory region (architectural difference,
+exposed by audit-027 -- MmAllocatePhysicalMemoryEx folds into the v40 bump
+allocator at 0x40000000+). Both 0xA0000000 and 0xE0000000 alias dumps from
+our impl yielded 0 committed pages, as does flat 0x00000000.
+
+Therefore: every 0x82xxxxxx PC in canary-physical.bin is automatically a
+divergence vs our impl (we have zeros there). This script enumerates them.
+
+Outputs:
+  diff.txt           every (canary_phys_addr, pc) pair
+  histogram.txt      bucket count by PC's 0x1000-aligned function
+  l1-hits.txt        renderer-cluster L1 PC hits (broad + narrow)
+  audit017-hits.txt  audit-017 chain PC hits
+  v40table-hits.txt  the 18 PCs from our v40 table at 0x40211900
+  tables.txt         consecutive PC runs (>=4 dwords)
+  pages.txt          per-page divergence count
+  pc-summary.txt     summary by canary-physical address
+"""
+import struct
+import os
+from collections import defaultdict
+
+PHYS_LEN = 0x20000000
+PC_LO = 0x82000000
+PC_HI = 0x82A00000
+
+# audit-017 chain PCs
+AUDIT017_CHAIN = {
+    0x82184318: "sub_82184318",
+    0x82184374: "0x82184374 (writer)",
+    0x82187768: "sub_82187768",
+    0x82187dd0: "sub_82187DD0",
+    0x82183ca8: "sub_82183CA8",
+    0x822919c8: "sub_822919C8",
+    0x82186760: "sub_82186760",
+    0x821c88d0: "sub_821C88D0",
+}
+
+# Narrow audit-009 cluster L1 set
+NARROW_L1 = {
+    0x822919C8: "sub_822919C8",
+    0x82293448: "sub_82293448",
+    0x82288028: "sub_82288028",
+    0x82292D80: "sub_82292d80",
+    0x822851E0: "sub_822851e0",
+    0x82286BC8: "sub_82286bc8",
+}
+
+# 18 PCs in our v40 table at 0x40211900 (cross-reference)
+V40_TABLE_PCS = {
+    0x82183ae8, 0x82187e38, 0x8218cf10, 0x82191b18,
+    0x821958c8, 0x82197448, 0x82199600, 0x82199ab0,
+    0x821a3a50, 0x821ac770, 0x821b0378, 0x821b41f0,
+    0x821b7178, 0x821ba1c8, 0x821bd470, 0x821bfad0,
+    0x821c0288, 0x821c09d8,
+}
+
+def main():
+    here = os.path.dirname(os.path.abspath(__file__))
+    canary = open(os.path.join(here, "canary-physical.bin"), "rb").read()
+    assert len(canary) == PHYS_LEN, len(canary)
+
+    # Load broad cluster L1 set
+    cluster_pcs = {}
+    cl1 = os.path.join(here, "cluster_l1_pcs.txt")
+    if os.path.exists(cl1):
+        with open(cl1) as f:
+            for ln in f:
+                ln = ln.strip()
+                if not ln: continue
+                parts = ln.split()
+                cluster_pcs[int(parts[0], 16)] = parts[1] if len(parts) > 1 else f"sub_{int(parts[0],16):08X}"
+
+    a_list = []  # (phys_addr, pc)
+    page_size = 4096
+    page_count = defaultdict(int)
+    bucket = defaultdict(int)
+    for i in range(0, PHYS_LEN, 4):
+        dw = struct.unpack_from(">I", canary, i)[0]
+        if PC_LO <= dw < PC_HI:
+            a_list.append((i, dw))
+            page_count[i & ~(page_size - 1)] += 1
+            bucket[dw & ~0xFFF] += 1
+
+    print(f"[i] total 0x82xxxxxx PC dwords on canary physical heap: {len(a_list)}")
+
+    LIMIT = 200000
+    with open(os.path.join(here, "diff.txt"), "w") as f:
+        f.write(f"# {len(a_list)} 0x82xxxxxx PC dwords on canary's physical heap\n")
+        f.write(f"# (ours has no committed pages in this region, so all are divergent)\n")
+        f.write(f"# (truncated to first {LIMIT} if larger)\n")
+        for paddr, pc in a_list[:LIMIT]:
+            f.write(f"phys={paddr:#010x}  pc={pc:#010x}\n")
+
+    sorted_b = sorted(bucket.items(), key=lambda x: -x[1])
+    with open(os.path.join(here, "histogram.txt"), "w") as f:
+        f.write("# canary PC value bucket (0x1000-aligned) -> occurrence count on physical heap\n")
+        for k, v in sorted_b:
+            f.write(f"{k:#010x}  {v}\n")
+    print(f"[i] top 25 PC buckets (canary physical-heap occurrences):")
+    for k, v in sorted_b[:25]:
+        print(f"    {k:#010x}  {v}")
+
+    # Cluster L1 hits
+    l1_hits_broad = []
+    l1_hits_narrow = []
+    for paddr, pc in a_list:
+        if pc in cluster_pcs:
+            l1_hits_broad.append((paddr, pc, cluster_pcs[pc]))
+        if pc in NARROW_L1:
+            l1_hits_narrow.append((paddr, pc, NARROW_L1[pc]))
+    with open(os.path.join(here, "l1-hits.txt"), "w") as f:
+        f.write(f"# Renderer cluster L1 PC hits in canary's physical heap (broad set, count={len(l1_hits_broad)})\n")
+        for paddr, pc, name in l1_hits_broad:
+            f.write(f"phys={paddr:#010x}  pc={pc:#010x}  // {name}\n")
+        f.write(f"\n# Narrow hand-picked subset (count={len(l1_hits_narrow)})\n")
+        for paddr, pc, name in l1_hits_narrow:
+            f.write(f"phys={paddr:#010x}  pc={pc:#010x}  // {name}\n")
+    print(f"[i] L1 PC hits (broad 116-fn cluster): {len(l1_hits_broad)}")
+    print(f"[i] L1 PC hits (narrow 6-fn picks):    {len(l1_hits_narrow)}")
+    for paddr, pc, name in l1_hits_broad[:30]:
+        print(f"    phys={paddr:#010x}  pc={pc:#010x}  // {name}")
+
+    # audit-017 chain hits
+    a17_hits = []
+    for paddr, pc in a_list:
+        if pc in AUDIT017_CHAIN:
+            a17_hits.append((paddr, pc, AUDIT017_CHAIN[pc]))
+    with open(os.path.join(here, "audit017-hits.txt"), "w") as f:
+        f.write(f"# audit-017 chain PC hits (count={len(a17_hits)})\n")
+        for paddr, pc, name in a17_hits:
+            f.write(f"phys={paddr:#010x}  pc={pc:#010x}  // {name}\n")
+    print(f"[i] audit-017 chain PC hits: {len(a17_hits)}")
+    for paddr, pc, name in a17_hits[:30]:
+        print(f"    phys={paddr:#010x}  pc={pc:#010x}  // {name}")
+
+    # v40 table cross-reference
+    v40_hits = []
+    for paddr, pc in a_list:
+        if pc in V40_TABLE_PCS:
+            v40_hits.append((paddr, pc))
+    with open(os.path.join(here, "v40table-hits.txt"), "w") as f:
+        f.write(f"# Hits where canary stores one of the 18 PCs from our v40 table at 0x40211900\n")
+        f.write(f"# (audit-027 hypothesis: this table belongs on physical heap in canary)\n")
+        f.write(f"# count={len(v40_hits)}\n")
+        for paddr, pc in v40_hits:
+            f.write(f"phys={paddr:#010x}  pc={pc:#010x}\n")
+    print(f"[i] v40-table PC hits on canary physical: {len(v40_hits)}")
+    if v40_hits:
+        print(f"    sample addrs:")
+        for paddr, pc in v40_hits[:20]:
+            print(f"      phys={paddr:#010x}  pc={pc:#010x}")
+
+    # Tables: consecutive PC runs >= 4 dwords
+    runs = []
+    a_sorted = sorted(a_list)
+    j = 0
+    while j < len(a_sorted):
+        start = j
+        while j + 1 < len(a_sorted) and a_sorted[j+1][0] == a_sorted[j][0] + 4:
+            j += 1
+        if j - start + 1 >= 4:
+            entries = a_sorted[start:j+1]
+            runs.append((entries[0][0], len(entries), entries))
+        j += 1
+    runs.sort(key=lambda r: -r[1])
+    with open(os.path.join(here, "tables.txt"), "w") as f:
+        f.write(f"# Consecutive PC dword runs (>=4 dwords): {len(runs)} runs\n\n")
+        for base, length, entries in runs[:200]:
+            f.write(f"=== run base={base:#010x} length={length} ===\n")
+            for paddr, pc in entries[:64]:
+                f.write(f"  +{paddr-base:#06x}: pc={pc:#010x}\n")
+            if length > 64:
+                f.write(f"  ... and {length-64} more\n")
+            f.write("\n")
+    print(f"[i] table-shaped runs (>=4 consecutive PC dwords on canary physical): {len(runs)}")
+    for base, length, _ in runs[:15]:
+        print(f"    base={base:#010x}  length={length}")
+
+    # Pages with PC content
+    page_sorted = sorted(page_count.items(), key=lambda x: -x[1])
+    with open(os.path.join(here, "pages.txt"), "w") as f:
+        f.write(f"# 4K pages with PC dwords on canary's physical heap (count={len(page_sorted)})\n")
+        for pg, cnt in page_sorted:
+            f.write(f"page={pg:#010x}  pc_count={cnt}\n")
+    print(f"[i] 4K pages containing PCs: {len(page_sorted)}")
+
+    # Larger 64K page-region summary
+    region_count = defaultdict(int)
+    for paddr, pc in a_list:
+        region_count[paddr & ~0xFFFF] += 1
+    with open(os.path.join(here, "pc-summary.txt"), "w") as f:
+        f.write(f"# 64K-aligned region PC density on canary's physical heap\n")
+        for region, cnt in sorted(region_count.items(), key=lambda x: -x[1]):
+            f.write(f"region={region:#010x}  pc_count={cnt}\n")
+    print(f"[i] 64K-aligned regions with PCs: {len(region_count)}")
+    for r, c in sorted(region_count.items(), key=lambda x: -x[1])[:15]:
+        print(f"    region={r:#010x}  pc_count={c}")
+
+if __name__ == "__main__":
+    main()

audit-runs/audit-029-physical-mem-diff/extract_physical.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+"""Extract canary's physical heap (5th heap) as a flat 512MB binary.
+
+Walks the canary Memory::Save dump in heap order (v00, v40, v80, v90, physical),
+skipping past the first four, then for `physical` writes each committed 4096-byte
+page to its file offset (page_idx * 4096). Uncommitted pages stay zero.
+
+Per memory.cc:222-242:
+  v00      base 0x00000000 size 0x40000000 pgsz 4096   -> 262144 pages
+  v40      base 0x40000000 size 0x3F000000 pgsz 65536  ->  16128 pages
+  v80      base 0x80000000 size 0x10000000 pgsz 65536  ->   4096 pages
+  v90      base 0x90000000 size 0x10000000 pgsz 4096   ->  65536 pages
+  physical base 0x00000000 size 0x20000000 pgsz 4096   -> 131072 pages
+
+Each per-page header is an 8-byte qword; state is at qword bits 60-61 (per
+audit-022 empirical finding). state==0 means uncommitted (no payload follows);
+otherwise (state & K_COMMIT)==2 means a 4096/65536-byte payload follows.
+
+NOTE: This file format is reverse-engineered. The audit-026/027 scripts
+implicitly handled the reserved-but-not-committed case by checking
+`state != 0 and (state & K_COMMIT)`. We mirror the same logic here.
+"""
+import struct
+import sys
+import os
+
+HEAPS = [
+    ("v00000000", 0x00000000, 0x40000000, 4096),
+    ("v40000000", 0x40000000, 0x3F000000, 65536),
+    ("v80000000", 0x80000000, 0x10000000, 65536),
+    ("v90000000", 0x90000000, 0x10000000, 4096),
+    ("physical",  0x00000000, 0x20000000, 4096),
+]
+K_COMMIT = 0x2
+
+def main():
+    src = sys.argv[1] if len(sys.argv) > 1 else \
+        "/home/fabi/RE Project Sylpheed/xenia-rs/audit-runs/audit-024a-canary-diff/canary-memory.dump"
+    out = sys.argv[2] if len(sys.argv) > 2 else \
+        os.path.join(os.path.dirname(__file__), "canary-physical.bin")
+    with open(src, "rb") as f:
+        data = f.read()
+    print(f"[i] dump size: {len(data)} bytes ({len(data)/1024/1024:.1f} MiB)")
+    cursor = 0
+    out_buf = None
+    for name, base, size, page_size in HEAPS:
+        page_count = size // page_size
+        committed = 0
+        if name == "physical":
+            out_buf = bytearray(size)
+        for i in range(page_count):
+            qword = struct.unpack_from("<Q", data, cursor)[0]
+            cursor += 8
+            state = (qword >> 60) & 0x3
+            if state != 0 and (state & K_COMMIT):
+                if name == "physical":
+                    out_buf[i*page_size:(i+1)*page_size] = data[cursor:cursor+page_size]
+                cursor += page_size
+                committed += 1
+        print(f"[i] {name}: pages={page_count} committed={committed}")
+    print(f"[i] total parsed: {cursor:#x} (file size: {len(data):#x})")
+    with open(out, "wb") as f:
+        f.write(out_buf)
+    print(f"[i] wrote {len(out_buf)} bytes to {out}")
+
+if __name__ == "__main__":
+    main()

audit-runs/audit-029-physical-mem-diff/l1-hits.txt

@@ -0,0 +1,5 @@
+# Renderer cluster L1 PC hits in canary's physical heap (broad set, count=2)
+phys=0x1330d620  pc=0x8228cc18  // sub_8228CC18
+phys=0x1351ef2c  pc=0x8228a220  // sub_8228A220
+
+# Narrow hand-picked subset (count=0)

audit-runs/audit-029-physical-mem-diff/pc-summary.txt

@@ -0,0 +1,537 @@
+# 64K-aligned region PC density on canary's physical heap
+region=0x144e0000  pc_count=1400
+region=0x144f0000  pc_count=1379
+region=0x144d0000  pc_count=1328
+region=0x144c0000  pc_count=1325
+region=0x14530000  pc_count=1229
+region=0x14490000  pc_count=1020
+region=0x14520000  pc_count=972
+region=0x14500000  pc_count=846
+region=0x144a0000  pc_count=826
+region=0x144b0000  pc_count=752
+region=0x14510000  pc_count=737
+region=0x1c330000  pc_count=684
+region=0x1c340000  pc_count=683
+region=0x1c350000  pc_count=683
+region=0x14540000  pc_count=608
+region=0x1c360000  pc_count=242
+region=0x1e560000  pc_count=237
+region=0x1c320000  pc_count=164
+region=0x1f270000  pc_count=158
+region=0x14560000  pc_count=126
+region=0x13150000  pc_count=121
+region=0x132b0000  pc_count=119
+region=0x1ed70000  pc_count=98
+region=0x14550000  pc_count=97
+region=0x12e60000  pc_count=88
+region=0x12ed0000  pc_count=87
+region=0x13140000  pc_count=86
+region=0x12e10000  pc_count=81
+region=0x15680000  pc_count=80
+region=0x13390000  pc_count=79
+region=0x12dc0000  pc_count=78
+region=0x13220000  pc_count=78
+region=0x13350000  pc_count=77
+region=0x12e80000  pc_count=76
+region=0x13210000  pc_count=76
+region=0x134b0000  pc_count=76
+region=0x13280000  pc_count=75
+region=0x16150000  pc_count=75
+region=0x13030000  pc_count=74
+region=0x132c0000  pc_count=74
+region=0x12e00000  pc_count=73
+region=0x12e50000  pc_count=73
+region=0x12e90000  pc_count=73
+region=0x16410000  pc_count=73
+region=0x12e70000  pc_count=71
+region=0x130d0000  pc_count=71
+region=0x130e0000  pc_count=71
+region=0x16400000  pc_count=71
+region=0x13010000  pc_count=70
+region=0x13120000  pc_count=70
+region=0x13240000  pc_count=70
+region=0x13360000  pc_count=70
+region=0x12d00000  pc_count=69
+region=0x12d70000  pc_count=69
+region=0x131b0000  pc_count=69
+region=0x13300000  pc_count=69
+region=0x13330000  pc_count=69
+region=0x13380000  pc_count=69
+region=0x12cf0000  pc_count=68
+region=0x12ef0000  pc_count=68
+region=0x12f70000  pc_count=68
+region=0x13340000  pc_count=68
+region=0x13430000  pc_count=68
+region=0x13490000  pc_count=68
+region=0x155f0000  pc_count=68
+region=0x12d10000  pc_count=66
+region=0x12e20000  pc_count=66
+region=0x12f60000  pc_count=66
+region=0x13060000  pc_count=66
+region=0x130b0000  pc_count=66
+region=0x13180000  pc_count=66
+region=0x13400000  pc_count=66
+region=0x12e30000  pc_count=65
+region=0x12ee0000  pc_count=65
+region=0x13040000  pc_count=65
+region=0x130f0000  pc_count=65
+region=0x13160000  pc_count=65
+region=0x13290000  pc_count=65
+region=0x12d40000  pc_count=64
+region=0x12dd0000  pc_count=64
+region=0x12f00000  pc_count=64
+region=0x13020000  pc_count=64
+region=0x13200000  pc_count=64
+region=0x132f0000  pc_count=64
+region=0x12eb0000  pc_count=63
+region=0x12f40000  pc_count=63
+region=0x12f50000  pc_count=63
+region=0x133a0000  pc_count=63
+region=0x133d0000  pc_count=63
+region=0x134e0000  pc_count=63
+region=0x165f0000  pc_count=63
+region=0x12f10000  pc_count=62
+region=0x133f0000  pc_count=62
+region=0x12db0000  pc_count=61
+region=0x13190000  pc_count=61
+region=0x131c0000  pc_count=61
+region=0x131f0000  pc_count=61
+region=0x132e0000  pc_count=61
+region=0x13310000  pc_count=61
+region=0x134f0000  pc_count=61
+region=0x12d20000  pc_count=60
+region=0x12d30000  pc_count=60
+region=0x12fd0000  pc_count=60
+region=0x133b0000  pc_count=60
+region=0x13410000  pc_count=60
+region=0x1ed60000  pc_count=60
+region=0x12d90000  pc_count=59
+region=0x12df0000  pc_count=59
+region=0x12ec0000  pc_count=59
+region=0x12f20000  pc_count=59
+region=0x130c0000  pc_count=59
+region=0x131d0000  pc_count=59
+region=0x133c0000  pc_count=59
+region=0x13470000  pc_count=59
+region=0x12e40000  pc_count=58
+region=0x13050000  pc_count=58
+region=0x13100000  pc_count=58
+region=0x13130000  pc_count=58
+region=0x13370000  pc_count=58
+region=0x134c0000  pc_count=58
+region=0x12fe0000  pc_count=57
+region=0x13090000  pc_count=57
+region=0x130a0000  pc_count=57
+region=0x13250000  pc_count=57
+region=0x13520000  pc_count=57
+region=0x1cd20000  pc_count=57
+region=0x12cd0000  pc_count=56
+region=0x12d50000  pc_count=56
+region=0x13230000  pc_count=56
+region=0x13320000  pc_count=56
+region=0x12f90000  pc_count=55
+region=0x12fc0000  pc_count=55
+region=0x131a0000  pc_count=55
+region=0x131e0000  pc_count=55
+region=0x13510000  pc_count=55
+region=0x12da0000  pc_count=54
+region=0x132d0000  pc_count=54
+region=0x12ea0000  pc_count=53
+region=0x12ff0000  pc_count=53
+region=0x13080000  pc_count=53
+region=0x12ce0000  pc_count=52
+region=0x12d80000  pc_count=52
+region=0x13070000  pc_count=52
+region=0x132a0000  pc_count=52
+region=0x13450000  pc_count=52
+region=0x134d0000  pc_count=52
+region=0x12cc0000  pc_count=50
+region=0x13460000  pc_count=50
+region=0x12de0000  pc_count=49
+region=0x13270000  pc_count=49
+region=0x133e0000  pc_count=49
+region=0x12d60000  pc_count=48
+region=0x12f30000  pc_count=48
+region=0x12fb0000  pc_count=48
+region=0x13110000  pc_count=48
+region=0x15c80000  pc_count=48
+region=0x15cb0000  pc_count=48
+region=0x12fa0000  pc_count=47
+region=0x13170000  pc_count=47
+region=0x13500000  pc_count=47
+region=0x12f80000  pc_count=46
+region=0x13000000  pc_count=46
+region=0x13420000  pc_count=46
+region=0x13530000  pc_count=46
+region=0x134a0000  pc_count=45
+region=0x13440000  pc_count=44
+region=0x15a60000  pc_count=43
+region=0x16100000  pc_count=43
+region=0x13480000  pc_count=42
+region=0x129d0000  pc_count=41
+region=0x12cb0000  pc_count=41
+region=0x15ca0000  pc_count=41
+region=0x129c0000  pc_count=37
+region=0x16640000  pc_count=37
+region=0x162b0000  pc_count=36
+region=0x16260000  pc_count=35
+region=0x12a70000  pc_count=34
+region=0x128c0000  pc_count=33
+region=0x12950000  pc_count=33
+region=0x15630000  pc_count=33
+region=0x12a00000  pc_count=32
+region=0x1ed30000  pc_count=32
+region=0x1ed40000  pc_count=32
+region=0x128a0000  pc_count=31
+region=0x15c60000  pc_count=31
+region=0x15c70000  pc_count=31
+region=0x12970000  pc_count=30
+region=0x12980000  pc_count=30
+region=0x12a60000  pc_count=30
+region=0x15670000  pc_count=30
+region=0x16470000  pc_count=30
+region=0x129e0000  pc_count=29
+region=0x12a40000  pc_count=29
+region=0x1f570000  pc_count=29
+region=0x1f5b0000  pc_count=29
+region=0x12890000  pc_count=28
+region=0x12910000  pc_count=28
+region=0x12920000  pc_count=28
+region=0x12960000  pc_count=28
+region=0x129f0000  pc_count=28
+region=0x15ae0000  pc_count=28
+region=0x128d0000  pc_count=27
+region=0x12a20000  pc_count=27
+region=0x12a90000  pc_count=27
+region=0x13260000  pc_count=27
+region=0x15780000  pc_count=27
+region=0x15bb0000  pc_count=27
+region=0x16170000  pc_count=27
+region=0x16430000  pc_count=27
+region=0x16610000  pc_count=27
+region=0x1f370000  pc_count=27
+region=0x128e0000  pc_count=26
+region=0x12930000  pc_count=26
+region=0x12990000  pc_count=26
+region=0x129a0000  pc_count=26
+region=0x15760000  pc_count=26
+region=0x12860000  pc_count=25
+region=0x12900000  pc_count=25
+region=0x12a10000  pc_count=25
+region=0x12aa0000  pc_count=25
+region=0x15640000  pc_count=25
+region=0x15de0000  pc_count=25
+region=0x167f0000  pc_count=25
+region=0x12880000  pc_count=24
+region=0x128b0000  pc_count=24
+region=0x128f0000  pc_count=24
+region=0x160f0000  pc_count=24
+region=0x16480000  pc_count=24
+region=0x16930000  pc_count=24
+region=0x15a80000  pc_count=23
+region=0x16630000  pc_count=23
+region=0x129b0000  pc_count=22
+region=0x12a80000  pc_count=22
+region=0x15750000  pc_count=22
+region=0x16600000  pc_count=22
+region=0x1dfb0000  pc_count=22
+region=0x1e950000  pc_count=22
+region=0x1f580000  pc_count=22
+region=0x1f5c0000  pc_count=22
+region=0x15960000  pc_count=21
+region=0x1f590000  pc_count=21
+region=0x1f5d0000  pc_count=21
+region=0x12850000  pc_count=20
+region=0x15c00000  pc_count=20
+region=0x12a30000  pc_count=19
+region=0x12a50000  pc_count=19
+region=0x15e70000  pc_count=19
+region=0x16250000  pc_count=19
+region=0x167a0000  pc_count=19
+region=0x168a0000  pc_count=19
+region=0x1e890000  pc_count=19
+region=0x1ea90000  pc_count=19
+region=0x1f2b0000  pc_count=19
+region=0x156b0000  pc_count=18
+region=0x16110000  pc_count=18
+region=0x12af0000  pc_count=17
+region=0x15cd0000  pc_count=17
+region=0x16420000  pc_count=17
+region=0x1e620000  pc_count=17
+region=0x1e7a0000  pc_count=17
+region=0x15660000  pc_count=16
+region=0x15f20000  pc_count=16
+region=0x161a0000  pc_count=16
+region=0x16570000  pc_count=16
+region=0x16810000  pc_count=16
+region=0x16940000  pc_count=16
+region=0x1f5a0000  pc_count=16
+region=0x12870000  pc_count=15
+region=0x15910000  pc_count=15
+region=0x159b0000  pc_count=15
+region=0x15eb0000  pc_count=15
+region=0x163a0000  pc_count=15
+region=0x15930000  pc_count=14
+region=0x15b00000  pc_count=14
+region=0x15ce0000  pc_count=14
+region=0x15f40000  pc_count=14
+region=0x16160000  pc_count=14
+region=0x1ce20000  pc_count=14
+region=0x1d5d0000  pc_count=14
+region=0x1ea80000  pc_count=14
+region=0x1ed50000  pc_count=14
+region=0x1f5e0000  pc_count=14
+region=0x12ab0000  pc_count=13
+region=0x12ad0000  pc_count=13
+region=0x15c90000  pc_count=13
+region=0x15cc0000  pc_count=13
+region=0x15f50000  pc_count=13
+region=0x16300000  pc_count=13
+region=0x166f0000  pc_count=13
+region=0x1f380000  pc_count=13
+region=0x12940000  pc_count=12
+region=0x15ad0000  pc_count=12
+region=0x15c50000  pc_count=12
+region=0x15dd0000  pc_count=12
+region=0x15df0000  pc_count=12
+region=0x15e80000  pc_count=12
+region=0x15fb0000  pc_count=12
+region=0x15fc0000  pc_count=12
+region=0x16440000  pc_count=12
+region=0x16450000  pc_count=12
+region=0x1c220000  pc_count=12
+region=0x1ca40000  pc_count=12
+region=0x12ac0000  pc_count=11
+region=0x15fa0000  pc_count=11
+region=0x15ff0000  pc_count=11
+region=0x162c0000  pc_count=11
+region=0x16310000  pc_count=11
+region=0x16550000  pc_count=11
+region=0x16690000  pc_count=11
+region=0x1ccc0000  pc_count=11
+region=0x12ae0000  pc_count=10
+region=0x15690000  pc_count=10
+region=0x15900000  pc_count=10
+region=0x15980000  pc_count=10
+region=0x159a0000  pc_count=10
+region=0x15c20000  pc_count=10
+region=0x15d80000  pc_count=10
+region=0x15e10000  pc_count=10
+region=0x15e60000  pc_count=10
+region=0x15ef0000  pc_count=10
+region=0x16280000  pc_count=10
+region=0x166c0000  pc_count=10
+region=0x16950000  pc_count=10
+region=0x16960000  pc_count=10
+region=0x1c650000  pc_count=10
+region=0x15600000  pc_count=9
+region=0x157c0000  pc_count=9
+region=0x158e0000  pc_count=9
+region=0x15970000  pc_count=9
+region=0x15dc0000  pc_count=9
+region=0x15e90000  pc_count=9
+region=0x15ed0000  pc_count=9
+region=0x15ee0000  pc_count=9
+region=0x15f10000  pc_count=9
+region=0x15fd0000  pc_count=9
+region=0x167d0000  pc_count=9
+region=0x16820000  pc_count=9
+region=0x16990000  pc_count=9
+region=0x1db10000  pc_count=9
+region=0x1f2a0000  pc_count=9
+region=0x1f360000  pc_count=9
+region=0x156c0000  pc_count=8
+region=0x15790000  pc_count=8
+region=0x15990000  pc_count=8
+region=0x15d50000  pc_count=8
+region=0x15f30000  pc_count=8
+region=0x15f60000  pc_count=8
+region=0x15f70000  pc_count=8
+region=0x16120000  pc_count=8
+region=0x16870000  pc_count=8
+region=0x1c660000  pc_count=8
+region=0x1f8e0000  pc_count=8
+region=0x1f930000  pc_count=8
+region=0x1f980000  pc_count=8
+region=0x1f9d0000  pc_count=8
+region=0x1fa20000  pc_count=8
+region=0x1fa70000  pc_count=8
+region=0x157b0000  pc_count=7
+region=0x15c10000  pc_count=7
+region=0x15d90000  pc_count=7
+region=0x15e20000  pc_count=7
+region=0x15e30000  pc_count=7
+region=0x15f00000  pc_count=7
+region=0x15f90000  pc_count=7
+region=0x15fe0000  pc_count=7
+region=0x16020000  pc_count=7
+region=0x16030000  pc_count=7
+region=0x16040000  pc_count=7
+region=0x160b0000  pc_count=7
+region=0x16180000  pc_count=7
+region=0x16390000  pc_count=7
+region=0x163c0000  pc_count=7
+region=0x16720000  pc_count=7
+region=0x16790000  pc_count=7
+region=0x1e7b0000  pc_count=7
+region=0x1ea70000  pc_count=7
+region=0x1f2c0000  pc_count=7
+region=0x156a0000  pc_count=6
+region=0x157e0000  pc_count=6
+region=0x157f0000  pc_count=6
+region=0x15800000  pc_count=6
+region=0x159e0000  pc_count=6
+region=0x15a70000  pc_count=6
+region=0x15d10000  pc_count=6
+region=0x15d60000  pc_count=6
+region=0x15da0000  pc_count=6
+region=0x15db0000  pc_count=6
+region=0x15ea0000  pc_count=6
+region=0x16060000  pc_count=6
+region=0x16080000  pc_count=6
+region=0x16140000  pc_count=6
+region=0x16290000  pc_count=6
+region=0x162a0000  pc_count=6
+region=0x16360000  pc_count=6
+region=0x16620000  pc_count=6
+region=0x16760000  pc_count=6
+region=0x16850000  pc_count=6
+region=0x1e940000  pc_count=6
+region=0x1e960000  pc_count=6
+region=0x1ed20000  pc_count=6
+region=0x12ca0000  pc_count=5
+region=0x15650000  pc_count=5
+region=0x158b0000  pc_count=5
+region=0x158d0000  pc_count=5
+region=0x15b10000  pc_count=5
+region=0x15bf0000  pc_count=5
+region=0x15e40000  pc_count=5
+region=0x15e50000  pc_count=5
+region=0x15f80000  pc_count=5
+region=0x16000000  pc_count=5
+region=0x16010000  pc_count=5
+region=0x16070000  pc_count=5
+region=0x160c0000  pc_count=5
+region=0x160d0000  pc_count=5
+region=0x16130000  pc_count=5
+region=0x16230000  pc_count=5
+region=0x16270000  pc_count=5
+region=0x164a0000  pc_count=5
+region=0x16540000  pc_count=5
+region=0x16660000  pc_count=5
+region=0x16710000  pc_count=5
+region=0x16730000  pc_count=5
+region=0x16780000  pc_count=5
+region=0x167e0000  pc_count=5
+region=0x1c970000  pc_count=5
+region=0x1e880000  pc_count=5
+region=0x157a0000  pc_count=4
+region=0x15810000  pc_count=4
+region=0x15850000  pc_count=4
+region=0x15880000  pc_count=4
+region=0x158c0000  pc_count=4
+region=0x158f0000  pc_count=4
+region=0x15940000  pc_count=4
+region=0x15b20000  pc_count=4
+region=0x15b60000  pc_count=4
+region=0x15b70000  pc_count=4
+region=0x15bd0000  pc_count=4
+region=0x15c30000  pc_count=4
+region=0x15d70000  pc_count=4
+region=0x15ec0000  pc_count=4
+region=0x16050000  pc_count=4
+region=0x160e0000  pc_count=4
+region=0x162f0000  pc_count=4
+region=0x16380000  pc_count=4
+region=0x163d0000  pc_count=4
+region=0x16520000  pc_count=4
+region=0x15830000  pc_count=3
+region=0x15870000  pc_count=3
+region=0x15950000  pc_count=3
+region=0x159c0000  pc_count=3
+region=0x159d0000  pc_count=3
+region=0x15a90000  pc_count=3
+region=0x15ab0000  pc_count=3
+region=0x15ac0000  pc_count=3
+region=0x15af0000  pc_count=3
+region=0x15b40000  pc_count=3
+region=0x15d20000  pc_count=3
+region=0x15d30000  pc_count=3
+region=0x15e00000  pc_count=3
+region=0x16090000  pc_count=3
+region=0x160a0000  pc_count=3
+region=0x162d0000  pc_count=3
+region=0x16350000  pc_count=3
+region=0x163b0000  pc_count=3
+region=0x163f0000  pc_count=3
+region=0x16530000  pc_count=3
+region=0x165a0000  pc_count=3
+region=0x16650000  pc_count=3
+region=0x166d0000  pc_count=3
+region=0x16740000  pc_count=3
+region=0x16880000  pc_count=3
+region=0x1c790000  pc_count=3
+region=0x1f7a0000  pc_count=3
+region=0x12b40000  pc_count=2
+region=0x15740000  pc_count=2
+region=0x15840000  pc_count=2
+region=0x15860000  pc_count=2
+region=0x15890000  pc_count=2
+region=0x15920000  pc_count=2
+region=0x15d40000  pc_count=2
+region=0x16190000  pc_count=2
+region=0x161e0000  pc_count=2
+region=0x16210000  pc_count=2
+region=0x16220000  pc_count=2
+region=0x16320000  pc_count=2
+region=0x16370000  pc_count=2
+region=0x165c0000  pc_count=2
+region=0x16670000  pc_count=2
+region=0x16680000  pc_count=2
+region=0x166a0000  pc_count=2
+region=0x16860000  pc_count=2
+region=0x168c0000  pc_count=2
+region=0x168f0000  pc_count=2
+region=0x16980000  pc_count=2
+region=0x1e570000  pc_count=2
+region=0x1f560000  pc_count=2
+region=0x1f920000  pc_count=2
+region=0x1f970000  pc_count=2
+region=0x1f9c0000  pc_count=2
+region=0x1fa10000  pc_count=2
+region=0x1fa60000  pc_count=2
+region=0x1fab0000  pc_count=2
+region=0x12b20000  pc_count=1
+region=0x12b30000  pc_count=1
+region=0x14cd0000  pc_count=1
+region=0x14cf0000  pc_count=1
+region=0x15770000  pc_count=1
+region=0x157d0000  pc_count=1
+region=0x15820000  pc_count=1
+region=0x159f0000  pc_count=1
+region=0x15a10000  pc_count=1
+region=0x15aa0000  pc_count=1
+region=0x15b30000  pc_count=1
+region=0x15b50000  pc_count=1
+region=0x15b90000  pc_count=1
+region=0x15ba0000  pc_count=1
+region=0x15bc0000  pc_count=1
+region=0x15cf0000  pc_count=1
+region=0x161c0000  pc_count=1
+region=0x161f0000  pc_count=1
+region=0x16200000  pc_count=1
+region=0x16330000  pc_count=1
+region=0x16460000  pc_count=1
+region=0x164e0000  pc_count=1
+region=0x16500000  pc_count=1
+region=0x16510000  pc_count=1
+region=0x16560000  pc_count=1
+region=0x16590000  pc_count=1
+region=0x165d0000  pc_count=1
+region=0x165e0000  pc_count=1
+region=0x16830000  pc_count=1
+region=0x16840000  pc_count=1
+region=0x16920000  pc_count=1
+region=0x1d070000  pc_count=1
+region=0x1f760000  pc_count=1
+region=0x1f770000  pc_count=1

audit-runs/audit-029-physical-mem-diff/tables.txt

@@ -0,0 +1,98 @@
+# Consecutive PC dword runs (>=4 dwords): 5 runs
+
+=== run base=0x1e568f38 length=232 ===
+  +0x0000: pc=0x824c8f00
+  +0x0004: pc=0x824c8f00
+  +0x0008: pc=0x824c8f00
+  +0x000c: pc=0x824c8f00
+  +0x0010: pc=0x824c8f00
+  +0x0014: pc=0x824c8f00
+  +0x0018: pc=0x824c8f00
+  +0x001c: pc=0x824c8f00
+  +0x0020: pc=0x824c8f00
+  +0x0024: pc=0x824c8f00
+  +0x0028: pc=0x824b1010
+  +0x002c: pc=0x824b1088
+  +0x0030: pc=0x824b1058
+  +0x0034: pc=0x824b09c8
+  +0x0038: pc=0x824b0998
+  +0x003c: pc=0x824b0a38
+  +0x0040: pc=0x824b0dc8
+  +0x0044: pc=0x824b0ef8
+  +0x0048: pc=0x824b0b58
+  +0x004c: pc=0x824b0be8
+  +0x0050: pc=0x824b0ac8
+  +0x0054: pc=0x824b0ce8
+  +0x0058: pc=0x824b0d58
+  +0x005c: pc=0x824b0c78
+  +0x0060: pc=0x824b09f8
+  +0x0064: pc=0x824b0e60
+  +0x0068: pc=0x824b0ec8
+  +0x006c: pc=0x824b10c8
+  +0x0070: pc=0x824b1110
+  +0x0074: pc=0x824b1180
+  +0x0078: pc=0x824b11c0
+  +0x007c: pc=0x824b1200
+  +0x0080: pc=0x824b1150
+  +0x0084: pc=0x824b1310
+  +0x0088: pc=0x824b1330
+  +0x008c: pc=0x824b1350
+  +0x0090: pc=0x824b1260
+  +0x0094: pc=0x824b12a0
+  +0x0098: pc=0x824b12e0
+  +0x009c: pc=0x824b1230
+  +0x00a0: pc=0x824b1370
+  +0x00a4: pc=0x824b1390
+  +0x00a8: pc=0x824b13b0
+  +0x00ac: pc=0x824b13d0
+  +0x00b0: pc=0x824b16d8
+  +0x00b4: pc=0x824b1738
+  +0x00b8: pc=0x824b16c8
+  +0x00bc: pc=0x824b1790
+  +0x00c0: pc=0x824b1598
+  +0x00c4: pc=0x824b15c8
+  +0x00c8: pc=0x824b3458
+  +0x00cc: pc=0x824b1428
+  +0x00d0: pc=0x824b14f0
+  +0x00d4: pc=0x824b15e8
+  +0x00d8: pc=0x824b1620
+  +0x00dc: pc=0x824b1658
+  +0x00e0: pc=0x824b1690
+  +0x00e4: pc=0x824b1ee8
+  +0x00e8: pc=0x824b1e78
+  +0x00ec: pc=0x824b1eb0
+  +0x00f0: pc=0x824b17e8
+  +0x00f4: pc=0x824b1810
+  +0x00f8: pc=0x824b1840
+  +0x00fc: pc=0x824b1870
+  ... and 168 more
+
+=== run base=0x1e6290f0 length=9 ===
+  +0x0000: pc=0x824dd650
+  +0x0004: pc=0x824dd678
+  +0x0008: pc=0x824dd318
+  +0x000c: pc=0x824dd360
+  +0x0010: pc=0x824dc398
+  +0x0014: pc=0x824dc450
+  +0x0018: pc=0x824da5c0
+  +0x001c: pc=0x824dc1b0
+  +0x0020: pc=0x82006ed4
+
+=== run base=0x1c22c9b0 length=4 ===
+  +0x0000: pc=0x82611ba0
+  +0x0004: pc=0x82611c68
+  +0x0008: pc=0x82611468
+  +0x000c: pc=0x826114a8
+
+=== run base=0x1ce24bc0 length=4 ===
+  +0x0000: pc=0x82061278
+  +0x0004: pc=0x82061270
+  +0x0008: pc=0x8206126c
+  +0x000c: pc=0x82061268
+
+=== run base=0x1ce254c0 length=4 ===
+  +0x0000: pc=0x820610e0
+  +0x0004: pc=0x82061044
+  +0x0008: pc=0x82061040
+  +0x000c: pc=0x820610dc
+

audit-runs/audit-029-physical-mem-diff/v40table-hits.txt

@@ -0,0 +1,22 @@
+# Hits where canary stores one of the 18 PCs from our v40 table at 0x40211900
+# (audit-027 hypothesis: this table belongs on physical heap in canary)
+# count=19
+phys=0x1c32c910  pc=0x82183ae8
+phys=0x1c32c930  pc=0x82187e38
+phys=0x1c32c950  pc=0x8218cf10
+phys=0x1c32c970  pc=0x82191b18
+phys=0x1c32c990  pc=0x821958c8
+phys=0x1c32c9b0  pc=0x82197448
+phys=0x1c32c9d0  pc=0x82199600
+phys=0x1c32c9f0  pc=0x82199ab0
+phys=0x1c32ca10  pc=0x821a3a50
+phys=0x1c32ca30  pc=0x821ac770
+phys=0x1c32ca50  pc=0x821b0378
+phys=0x1c32ca70  pc=0x821b41f0
+phys=0x1c32ca90  pc=0x821b7178
+phys=0x1c32cab0  pc=0x821ba1c8
+phys=0x1c32cad0  pc=0x821bd470
+phys=0x1c32caf0  pc=0x821bfad0
+phys=0x1c32cb10  pc=0x821c0288
+phys=0x1c32cb30  pc=0x821c09d8
+phys=0x1c32cb50  pc=0x821c09d8