ITERATE-2.V: scheduler priority aging closes 18-day AUDIT-049 wedge

Priority aging in xenia-cpu/scheduler.rs:pick_runnable
(effective_priority = base + age_bonus(now_round - last_run_round),
capped at +31, AGING_ROUNDS_PER_BONUS=1). Strict-priority was parking
priority=0 threads behind CPU-bound priority=15 audio mixer
(sub_824D1328 guest spinwait at PC=0x824d1404 on CPU5). Aging
eventually picks the starved thread, breaking the producer-consumer
cycle that caused 5-tid wedge at PC=0x824ac578 since AUDIT-049 (10 May).

Cascade observed: tid=13 clean exit; events 121K -> 13M (107x); last
host_ns 767ms -> 51,011ms (66x); 8 new threads spawn; VdSwap 1 -> 2.

Complete two-day iterate sequence (2026-05-27 -> 2026-05-28):
- 2.F: VdSwap drain timeout 900ms -> 1ms (xenia-gpu/handle.rs); 876x
       perf win on VdSwap kernel callback
- 2.H: vA0000000 physical heap bucket added (state.rs, exports.rs);
       ctx_ptrs now in 0xA0000000-0xBFFFFFFF range matching canary
- 2.L: Phase-A diff harness categorized [return_value mismatch],
       [status mismatch], [args_resolved.path mismatch] tags
       (tools/diff-events/diff_events.py); closes reading-error #41
       (silent test-harness state leak invalidating trace diffs)
- 2.M: always-on exit-thread-state.json sibling to Phase-A JSONL
       (event_log.rs + xenia-app/main.rs); closes reading-error #42
       (Phase-A blind to blocked-forever waits)
- 2.Q: signal.match kernel instrumentation in NtSetEvent /
       NtReleaseSemaphore / KeSetEvent / KeReleaseSemaphore
       (exports.rs); emits target_handle + waiter_count + waiter_tids
- 2.T: wake.requested kernel instrumentation in wake_eligible_waiters
       (exports.rs); emits target_tid + transition + new_state
- 2.V: scheduler priority aging (xenia-cpu/scheduler.rs) [keystone]

Plus accumulated WIP from earlier May (contention_manifest,
phase_b_snapshot, xam/xaudio enhancements, analysis db, xex loader,
xenia-app main loop, etc.). Audit-runs/ artifacts remain untracked
per project convention.

Tests: 300 xenia-cpu / 227 xenia-kernel / 5 xenia-app / 19 xenia-path
/ 30+ smaller suites -- all PASS, 0 regressions. Determinism preserved
(2x cold runs bit-identical at 13,003,881 events post-2.V).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/xenia-xex/src/header.rs

@@ -120,9 +120,13 @@ pub mod header_keys {
     pub const ENTRY_POINT: u32 = 0x00010100;
     pub const IMAGE_BASE_ADDRESS: u32 = 0x00010201;
     pub const IMPORT_LIBRARIES: u32 = 0x000103FF;
-    pub const TLS_INFO: u32 = 0x00020200;
+    // Canary authoritative: `xenia-canary/src/xenia/kernel/util/xex2_info.h:217-218`.
+    // The two values below were transposed prior to Phase 2 of the boot-state
+    // remediation — the swap was latent because the sole caller of
+    // `get_stack_size()` (loader.rs:356) was never invoked.
+    pub const TLS_INFO: u32 = 0x00020104;
     pub const EXECUTION_INFO: u32 = 0x00040006;
-    pub const DEFAULT_STACK_SIZE: u32 = 0x00020104;
+    pub const DEFAULT_STACK_SIZE: u32 = 0x00020200;
     pub const ORIGINAL_PE_NAME: u32 = 0x000183FF;
     pub const FILE_FORMAT_INFO: u32 = 0x000003FF;
     pub const SYSTEM_FLAGS: u32 = 0x00030000;

crates/xenia-xex/src/loader.rs

@@ -353,8 +353,49 @@ pub fn get_image_base(header: &Xex2Header) -> Option<u32> {
 }
 
 /// Get the default stack size.
+///
+/// Canary: `XEX_HEADER_DEFAULT_STACK_SIZE = 0x00020200`, low key byte = 0,
+/// which by XEX-key encoding means the `value` field IS the stack size
+/// directly (not an offset into the header). Fallback to 1 MiB mirrors
+/// the historical hardcoded default in `xenia-app`.
 pub fn get_stack_size(header: &Xex2Header) -> u32 {
-    get_opt_header(header, header_keys::DEFAULT_STACK_SIZE).unwrap_or(0x10_0000) // Default 1MB
+    get_opt_header(header, header_keys::DEFAULT_STACK_SIZE).unwrap_or(0x10_0000)
+}
+
+/// Parsed `XEX_HEADER_TLS_INFO` (key `0x00020104`).  Canary's
+/// `xex2_opt_tls_info` struct (`xex2_info.h:595-601`):
+///   +0x00 u32 slot_count        — number of dynamic TLS slots
+///   +0x04 u32 raw_data_address  — guest VA of the initial-value template
+///   +0x08 u32 data_size         — total TLS region size (image + slots)
+///   +0x0C u32 raw_data_size     — bytes of the initial-value template
+#[derive(Debug, Clone, Copy)]
+pub struct TlsInfo {
+    pub slot_count: u32,
+    pub raw_data_address: u32,
+    pub data_size: u32,
+    pub raw_data_size: u32,
+}
+
+/// Parse the `XEX_HEADER_TLS_INFO` opt-header.  The opt-header's low key
+/// byte = 0x04, which by XEX-key encoding means the `value` field is an
+/// OFFSET (in bytes) into the raw XEX header where the 16-byte
+/// `xex2_opt_tls_info` struct lives — NOT an inline value.  `data` must
+/// be the raw XEX header bytes (length ≥ `value + 16`).  Returns `None`
+/// when the opt-header is absent or the offset is out of range.
+pub fn get_tls_info(header: &Xex2Header, data: &[u8]) -> Option<TlsInfo> {
+    let off = get_opt_header(header, header_keys::TLS_INFO)? as usize;
+    if off.checked_add(16)? > data.len() {
+        return None;
+    }
+    let read_be_u32 = |o: usize| -> u32 {
+        u32::from_be_bytes([data[o], data[o + 1], data[o + 2], data[o + 3]])
+    };
+    Some(TlsInfo {
+        slot_count: read_be_u32(off),
+        raw_data_address: read_be_u32(off + 4),
+        data_size: read_be_u32(off + 8),
+        raw_data_size: read_be_u32(off + 12),
+    })
 }
 
 /// XEX `XEX_HEADER_SYSTEM_FLAGS` (key `0x00030000`) — the privilege bitmap