handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO): - xenia-kernel/exports.rs: nt_create_event manual_reset polarity + related event wiring - xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps (.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as regenerable local artifacts — see memory + HANDOFF for the running findings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
65
audit-runs/iterate-2AV-tid13-registrar/findings-static.md
Normal file
65
audit-runs/iterate-2AV-tid13-registrar/findings-static.md
Normal file
@@ -0,0 +1,65 @@
|
||||
# 2.AV static findings (canary runtime trace BLOCKED by wine GPU-init stall)
|
||||
|
||||
## Object model (ours == canary, identical guest XEX)
|
||||
- Publisher singleton (ours runtime 0xbc58c910), vtable 0x820a183c, built by GetInstance
|
||||
sub_8216ea68, called UNCONDITIONALLY from image entry_point sub_824ab748 @0x824ab8dc.
|
||||
Stored at global 0x828a865c (refcounted; teardown sub_8216f170).
|
||||
- field8 = publisher[+8] (ours runtime 0xbd024a80), built by sub_82173990 (derived) ->
|
||||
base ctor sub_82173360. Base ctor: vtable@+0, CRITICAL_SECTION@+16 (RtlInitializeCSAndSpinCount
|
||||
@0x821733a0), then ZERO-INITS +44 (stw r29=0, 44(r30) @0x821733a4) and +48,+52,...
|
||||
=> field8+44 is a NULL-initialized observer/next pointer (NOT a CS lock word; the CS is +16..+44).
|
||||
- Notify/publish method = publisher vtable+0x1C = 0x821753c8:
|
||||
lwz r11,8(r3) ; field8
|
||||
lwz r11,44(r11) ; observer = field8+44
|
||||
cmplwi; beqlr ; if NULL -> silent return
|
||||
lwz r3,0(r11); lwz r11,0(r3); lwz r11,48(r11); bctr ; dispatch observer.vtable[+0x30]
|
||||
(sibling notify at vtable+0x14=0x82175350 same shape via vtable+0x2c)
|
||||
|
||||
## opt_callback / ISR chain (confirmed by 2.AT deref + this static)
|
||||
- VSync ISR sub_824be9a0(r3=mode,r4=user_data):
|
||||
r3==0 (60Hz VSync): frame bookkeeping, then @0x824bea80 r11=[user_data+15144]=opt_callback;
|
||||
if !=0 -> bctrl @0x824beaa8 (lr=0x824beaac seen in traces).
|
||||
r3==1 (other src): callback [user_data+20] if [user_data+16]!=0.
|
||||
- opt_callback (+15144) = 0x822f2248, installed by sub_824c1920 (`stw r4,15144(r3)`),
|
||||
called from registrar sub_822f1f20 @0x822f1f70 (r3=user_data, r4=0x822f2248).
|
||||
sub_822f1f20 reached from VSync main loop sub_822f1aa8 @0x822f1f04.
|
||||
- 0x822f2248 -> virtual dispatch -> publisher.vtable[+0x1C] = 0x821753c8 (the notify method above).
|
||||
|
||||
## ours runtime (2.AT): field8+44 == 0 at every dispatch => beqlr, never signals 0x10e8.
|
||||
## opt_callback fires only 67x total, EARLY boot (cycles 312K-7.3M), tids 7(55x)+1(12x); NOT 60Hz.
|
||||
|
||||
## tid=13 reconciliation (Task C)
|
||||
- CURRENT exit-state (this run, 2.AP, 2.AQ): tid=13 = EXITED CLEAN (pc=lr=0xbcbcbcbc sentinel),
|
||||
NOT in wedge_map. 2.V clean-exit HOLDS; tid=13 did NOT regress.
|
||||
- sub_821CB030 (2.AT-claimed tid=13 wait site) = generic string/path utility, 6 callers,
|
||||
NOT a wait/wedge primitive. No current thread parked there.
|
||||
- => 2.AT's "R1 downstream of wedged tid=13" premise is NOT supported by current data.
|
||||
|
||||
## Registrar that would write field8+44: NOT FOUND in ours run (only zero-init + prior CS tenant).
|
||||
## No static stw to +44 in notify region 0x82173000-0x82176000 except the zero-init.
|
||||
|
||||
## DECISIVE NEW FINDING (Task A/C): field8+44 observer is NEVER populated in EITHER engine
|
||||
- Whole-image search for the subscribe pattern `lwz R,8(obj); stw delegate,44(R)` -> only 2 hits:
|
||||
0x821916dc: `li r11,3; stw r11,44(r3)` (immediate flag, unrelated class)
|
||||
0x8269fa70: `li r10,1; stw r10,44(r11)` (immediate flag, unrelated class, sub_8269F9F8)
|
||||
NEITHER writes a heap delegate pointer to the publisher's field8+44.
|
||||
- => No guest code registers an observer on the publisher's field8+44. Since ours==canary guest
|
||||
code, canary ALSO leaves field8+44 NULL. The +44 notify-dispatch is a STRUCTURAL DEAD-END in
|
||||
this title, not a producer ours fails to run.
|
||||
- => Force-installing a delegate at +44 (2.AT/2.AR R1 "force-install") would be a pure crowbar
|
||||
with NO canary basis. R1 is NOT a missing +44 registrar.
|
||||
|
||||
## Implication: the real 0x10e8 signaller is a DIFFERENT path
|
||||
- VSync ISR sub_824be9a0 has TWO callbacks: r3==0 -> opt_callback(+15144) -> dead-end +44 notify;
|
||||
r3==1 -> [user_data+10772]->[+16]/[+20] graphics-interrupt sub-callback (set by guest gfx driver
|
||||
via the +10768/+10772 alloc in sub_824bfee0). The r3==1 path (or a host-direct KeSetEvent on the
|
||||
swap event) is the likely 0x10e8 producer — NOT the opt_callback +44 chain.
|
||||
- ours opt_callback fires only 67x EARLY (cycles 312K-7.3M), NOT 60Hz. Canary delivers 60Hz
|
||||
(tid=2 NtSetEvent 4660x). The divergence is INTERRUPT-DELIVERY CADENCE (ours stops pumping the
|
||||
ISR after boot) + which ISR sub-path/event actually drives 0x10e8 — not the +44 observer.
|
||||
|
||||
## CANARY RUNTIME TRACE: ATTEMPTED, BLOCKED
|
||||
- build-cross Windows xenia_canary.exe (has audit_61/68 cvars) run under wine stalls right after
|
||||
config dump, never mounts ISO (GPU/window init hang in this wine prefix, headless and non-headless).
|
||||
Native Linux Debug binary lacks audit cvars. Could not capture canary field8+44 at runtime.
|
||||
Config restored to defaults; processes killed.
|
||||
Reference in New Issue
Block a user