fabi/xenia-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes

Browse Source 
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO):
- xenia-kernel/exports.rs: nt_create_event manual_reset polarity +
  related event wiring
- xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity

Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the
iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps
(.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as
regenerable local artifacts — see memory + HANDOFF for the running findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-06-05 07:19:08 +02:00
parent acd1656753
commit ef93a4fa14
620 changed files with 108303 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
audit-runs/phase-absorber-review/absorber-inventory.md Normal file
View File

@@ -0,0 +1,101 @@
# Absorber inventory (Phase absorber-review, 2026-05-19)
The diff tool currently lands three absorbers that cross reading-error #23
(matching genuinely different guest behavior at the diff layer). Each is
documented below — trigger, match heuristic, rationale, what is silenced.
The investigation goal is to determine whether any of them is hiding
signal flow that would explain the AUDIT-049 wedge (tid=13 blocked on
Event/Auto handle `0x12d0`, sister wedges `0x1020/0x1040/0x10A8/0x10E4/0x12B8`,
`sub_825070F0` worker spawner fires 0×).
## A) Shared-global `handle.create` floating absorb (Phase C+18)
* **File**: `diff_events.py::diff_one_tid`, branch guarded by
`is_shared_global_handle_create` + `cross_tid_floating_sids`.
* **Trigger condition**: at a kind mismatch, exactly one side has
`handle.create` whose SID is in the cross-tid floating set.
* **Match heuristic**: the SID equals the deterministic
`shared_global_sid(pointer, object_type)` recipe (FNV-1a over marker
`0xC01AB005`, pointer, object_type) OR appears across ≥2 distinct tids
in either engine's stream (cross-tid usage heuristic).
* **Rationale**: process-global dispatcher objects (XAudio voice-volume
semaphores, shared CSes, shared KEVENTs) get lazy-wrapped by whichever
guest thread is the first toucher; that thread differs between cold
runs. The SID recipe is scheduling-invariant so the diff can absorb
the `handle.create` on the "wrong" tid.
* **What's silenced**: `handle.create` events for process-global
dispatchers. Per-thread (`alloc_handle_for`/`AddHandle`) handle.create
events are NOT silenced because their SID uses the per-(tid, idx)
recipe.
## B) Shared-global `wait.begin` floating absorb (Phase C+21)
* **File**: `diff_events.py::diff_one_tid`, branch guarded by
`is_shared_global_wait_begin`.
* **Trigger condition**: at a kind mismatch, exactly one side has
`wait.begin` whose `handles_semantic_ids` list includes at least one
SID in the shared-global set.
* **Match heuristic**: any of the wait's handles matches the
shared-global SID criterion above. For `wait_type=all`, ANY single
shared-global handle is enough to classify the whole wait as
floating (heuristic risk: a wait on one shared + multiple per-thread
handles is fully absorbed).
* **Rationale**: contention on shared dispatchers is host-scheduler
driven. One cold run may emit `wait.begin` (slow path) while another
fast-paths past it without ever blocking. Reading-error #32.
* **What's silenced**: `wait.begin` events that touch shared-global
dispatchers. The associated `wait.end` (which has its own field
skips per `SKIP_PAYLOAD_FIELDS_BY_KIND`) still aligns positionally.
## C) Nested-CS-cleanup absorber, Phase D D-extension (v1.5)
* **File**: `diff_events.py::_try_absorb_nested_cs_cleanup`, invoked from
`diff_one_tid`.
* **Trigger condition**: kind mismatch where canary has
`import.call RtlEnterCriticalSection` while ours has
`import.call RtlLeaveCriticalSection`. Pattern is exact — NO other
kind-mismatch shape engages this absorber.
* **Match heuristic**: walks canary forward consuming balanced
`[Enter-block(3), Leave-block(3)]` pairs (each pair = 6 events: import.call,
kernel.call, kernel.return for Enter; same triple for Leave). Cap
`_NESTED_CS_PAIR_CAP = 32`. After each pair, checks whether
canary's next event has the SAME kind AND payload `name` as ours's
current event — first convergence wins (greedy).
* **Rationale**: the 104,607 cap is a producer-throughput divergence:
canary's preemptive host-OS scheduling lets a peer tid insert more
work items into a CS-protected registry/tree during a notification-event
wait window than ours's cooperative scheduler does. Canary then
iterates `[E L]` cleanups over those entries; ours has fewer entries
and fast-Leaves. Per Phase D forensics, this is a real guest-behavior
divergence, not jitter.
* **What's silenced**: contiguous `[E L]` blocks on canary's side at
the specific Enter-vs-Leave mismatch site (~+439 events at the
104,607→105,046 advance per the D-extension memory).
* **Stated caveat**: this explicitly crosses reading-error #23. The
band-aid was approved because the underlying root cause requires
preempting the cooperative scheduler (invalidates 23 phases of digest
stability; out of scope per H' plan).
## Cross-references for wedge hunt
Per Phase W ground truth, the unsignaled handles at deadlock are:
```
0x00001020 Event/Manual waiters=1 signals=0 waits=1 wakes=0
0x00001040 Event/Auto waiters=0 signals=0 waits=32 wakes=0
0x000010b0 Event/Auto waiters=0 signals=0 waits=7 wakes=0
0x000010ec Event/Manual waiters=1 signals=0 waits=2 wakes=0
0x000012d0 Event/Auto waiters=1 signals=0 waits=1 wakes=0 ← THE WEDGE
0x000012e4 Event/Auto waiters=1 signals=0 waits=1 wakes=0
```
Per the dossier caveat (AUDIT-049 era ID `0x1288` → Phase W ID `0x12d0`),
handle ID is allocator-ordinal-dependent and does NOT match across
engines. So we look up by **canary's analog handles** via the canary
event stream — i.e. any Event/Auto whose tid+site equals canary's
analog of ours's tid=13 `sub_821CB030+0x1B0` worker create call. Per
Phase W's table, canary tid=14/15 are the worker cluster (1.9M / 995K
events). If an absorbed event on canary is a worker-cluster
`handle.create`/`wait.begin` for an event-like object, that's wedge-
relevant.

132
audit-runs/phase-absorber-review/cross-reference.md Normal file
View File

@@ -0,0 +1,132 @@
# Cross-reference — absorbed events vs Phase W wedge ground truth
Baseline diff: Phase W cold canary `canary-wedge.head250k.jsonl` (56 MB,
head-truncated to ~250k canary tid=6 events) vs ours
`ours-postfix.jsonl` (28 MB). Default tid-map `6=1,4=11,7=2,12=7,14=9,15=10`.
## Total absorbed events: 8
| absorber | side | events |
|---|---|---|
| shared-global | ours | 1 |
| wait-begin | canary | 1 |
| nested-cs | canary | 6 (1 [E,L] pair = 6 events) |
## Per-absorbed-event analysis
### Nested-cs (6 events, canary tid=6 idx 104607104612)
Pure `RtlEnterCriticalSection`+`RtlLeaveCriticalSection` import/kernel.call/
kernel.return triples on canary's side. Return values all `0x00000000`
(uncontended fast-path). **No handles referenced.** Not wedge-relevant by
construction — these are CS API calls, not signal-flow events.
### Wait-begin (1 event, canary tid=6 idx 104622)
```
SID: a25a16a4f6f547aa (object_type=1 EVENT)
raw_handle_id: 0xf8000044 (canary kernel-table slot)
created at: canary tid=10 idx=843 (worker thread)
used by: 108 wait.begin events across canary tids 6, 9, 10, 17, 18
```
**Embedded inside an `RtlEnterCriticalSection` block** (idx 104620
import.call → 104621 kernel.call → 104622 wait.begin → 104623 kernel.return).
This is canary's CS slow-path — the CS was contended so the wait.begin
fired on the **CS dispatcher Event**. Object_type=1 (EVENT) is the Xbox
kernel's representation of the CS's owned-by-other-thread dispatcher;
NOT a user-mode `NtCreateEvent`-created Event.
The Event is created on worker tid=10 because in canary the worker did
run and contend on this CS. In ours the workers don't run so the CS is
never contended; ours fast-paths through (uncontended kernel.return at
idx 104616 with status 0).
**Wedge handles in ours** (per `halt-on-deadlock-dump.txt`) are:
`0x12d0`, `0x1020`, `0x1040`, `0x10b0`, `0x10ec`, `0x12e4` — all
`object_type=1 EVENT` but all created via `NtCreateEvent`
at `LR=0x824a9f6c` from worker tid=13. They're worker-LOCAL Events
(SIDs `d5e23609d3948568` etc., computed from ours's per-tid recipe),
NOT the shared CS dispatcher Event `a25a16a4f6f547aa`.
**Verdict**: absorber is correctly suppressing CS-contention scheduling
jitter, not wedge signal flow. The Event canary waits on is the
CS dispatcher proxy, never the user-mode worker-private Events.
### Shared-global (1 event, ours tid=10 idx 2)
```
SID: ac8315b371bcf7cb (object_type=3 SEMAPHORE)
raw_handle_id: 0x828a3230 (guest VA — well-known XAudio voice-volume
semaphore, documented in C+18)
```
ours emits `handle.create` for this Semaphore at idx 2 because
`ensure_dispatcher_object` synthesizes the shadow KernelObject at
first touch (Phase C+17). Canary doesn't emit a corresponding
`handle.create` on the same tid pair because the canary first toucher
was a different host thread — classic process-global first-toucher
race that C+18 was specifically designed for.
**Wedge handles are all EVENT (object_type=1).** This is a SEMAPHORE
(type=3). Different object class, different code path (XAudio voice
volume). Not wedge-relevant.
**Verdict**: absorber is correctly suppressing first-toucher race for
a shared XAudio dispatcher, not wedge signal flow.
## Selective-disable matched-prefix deltas
Baseline (all absorbers ON): main tid=6→1 matched=**105,128**.
| disabled absorber | main matched | delta | sister 15→10 matched |
|---|---|---|---|
| (none — baseline) | 105,128 | 0 | 16 |
| shared-global | 105,128 | 0 | 2 (14) |
| wait-begin | 104,616 | 512 | 16 |
| nested-cs | 104,607 | 521 | 16 |
The delta pattern matches the absorbed events exactly:
- nested-cs's 6 absorbed events at idx 104,607104,612 enabled the
104,607 → 105,128 advance (combined with subsequent wait-begin).
- wait-begin's single absorb at idx 104,622 enabled the 104,616 →
105,128 advance (without it, the absorber-chain stops there).
- shared-global's single absorb on tid=15→10 enabled that sister
chain's 2 → 16 advance.
## Cross-reference verdict
**None of the absorbed events reference a wedge-relevant handle.**
Specifically:
1. Nested-cs absorbs RtlEnter/Leave **API events** — no handles involved.
2. Wait-begin absorbs a CS-dispatcher Event used in CS contention.
The wedge Events are user-mode `NtCreateEvent` outputs from worker
tid=13 — DIFFERENT object class than CS dispatchers.
3. Shared-global absorbs an XAudio SEMAPHORE — wedge handles are all
EVENT type.
## What the absorbers DO reveal indirectly
The wait-begin and nested-cs absorbers fire because canary's main
thread (tid=6) waits on a CS that ours never contends on. **The reason
ours never contends on it is because the worker cluster (canary
tid=9/10/14/15/17/18) never runs** — they emit 17 and 77 events in
ours (vs 995k and 1.9M in canary) per Phase W ground truth.
The absorbers are therefore CORRECTLY treating the contention pattern
as scheduling jitter at the diff layer. The underlying root cause —
workers don't bootstrap — is what Phase W identified and is unchanged
by absorber behavior.
Even if we disabled all three absorbers, the surfaced divergences
would be:
- canary's main waiting on a CS dispatcher that ours doesn't create
(because the contending worker is absent), AND
- canary's main entering CS nested-cleanup branches because the
CS-protected registry has more entries (because workers inserted them).
Both are downstream effects of the same upstream "workers don't run"
root cause that Phase D's contention-replay (Stage 3/4) and quantum
(Stage 0) experiments already failed to unblock. No new signal-flow
gap is exposed.

137
audit-runs/phase-absorber-review/diff-default-all-absorbers-on.md Normal file
View File

@@ -0,0 +1,137 @@
# Phase A diff report
**This report is the output of Phase A's diff harness. Divergences
shown here are INPUT for Phase B (first-divergence localization),
not findings of Phase A.** Phase A's job is to make the harness
itself correct, not to analyze what it surfaces.
## Summary
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at | floating_create (c/o) | floating_wait (c/o) |
|---|---|---|---|---|---|---|---|
| 4 | 11 | 11 | 2099 | 11 | — | 0/0 | 0/0 |
| 6 | 1 | 105128 | 119455 | 108507 | 105128 | 0/0 | 1/0 |
| 7 | 2 | 32 | 32 | 33 | — | 0/0 | 0/0 |
| 12 | 7 | 4 | 374 | 5 | 4 | 0/0 | 0/0 |
| 14 | 9 | 41 | 26901 | 77 | 41 | 0/0 | 0/0 |
| 15 | 10 | 16 | 11558 | 17 | — | 0/1 | 0/0 |
*`floating_create (c/o)` counts shared-global `handle.create` events absorbed by Phase C+18 cross-tid SID matching. `floating_wait (c/o)` counts `wait.begin` events on shared-global dispatchers absorbed by Phase C+21 (scheduling-jitter window — canary's contention slow path may fire while ours fast-paths or vice versa). See schema-v1.md §"Shared-global SIDs" and §"Wait-begin floating absorb".*
## canary_tid=4 → ours_tid=11
No divergence within the 11 compared events (canary has 2099, ours has 11).
## canary_tid=6 → ours_tid=1
First divergence at `tid_event_idx=105128`: payload.ctx_ptr: canary='0xbe56bb3c' ours='0x42453b3c'
**Pre-context (last 5 matching events):**
```
canary: [105130] kernel.call KiApcNormalRoutineNop
ours: [105123] kernel.call KiApcNormalRoutineNop
canary: [105131] kernel.return KiApcNormalRoutineNop
ours: [105124] kernel.return KiApcNormalRoutineNop
canary: [105132] import.call ExCreateThread
ours: [105125] import.call ExCreateThread
canary: [105133] kernel.call ExCreateThread
ours: [105126] kernel.call ExCreateThread
canary: [105134] handle.create sid=17d8b2ba9dd4ba13
ours: [105127] handle.create sid=3562d07db6ff161d
```
**Divergent event:**
```
canary: [105135] thread.create {'handle_semantic_id': '17d8b2ba9dd4ba13', 'parent_tid': 6, 'entry_pc': '0x824cd458', 'ctx_ptr': '0xbe56bb3c', 'priority': 0, 'affinity': 4, 'stack_size': 32768, 'suspended': False}
ours: [105128] thread.create {'handle_semantic_id': '3562d07db6ff161d', 'parent_tid': 1, 'entry_pc': '0x824cd458', 'ctx_ptr': '0x42453b3c', 'priority': 0, 'affinity': 4, 'stack_size': 32768, 'suspended': False}
```
**Next event after the divergence (if any):**
```
canary: [105136] kernel.return ExCreateThread
ours: [105129] kernel.return ExCreateThread
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1644146200, "kind": "thread.create", "payload": {"affinity": 4, "ctx_ptr": "0xbe56bb3c", "entry_pc": "0x824cd458", "handle_semantic_id": "17d8b2ba9dd4ba13", "parent_tid": 6, "priority": 0, "stack_size": 32768, "suspended": false}, "schema_version": 1, "tid": 6, "tid_event_idx": 105135}
{"deterministic": true, "engine": "ours", "guest_cycle": 0, "host_ns": 494758288, "kind": "thread.create", "payload": {"affinity": 4, "ctx_ptr": "0x42453b3c", "entry_pc": "0x824cd458", "handle_semantic_id": "3562d07db6ff161d", "parent_tid": 1, "priority": 0, "stack_size": 32768, "suspended": false}, "schema_version": 1, "tid": 1, "tid_event_idx": 105128}
```
## canary_tid=7 → ours_tid=2
No divergence within the 32 compared events (canary has 32, ours has 33).
## canary_tid=12 → ours_tid=7
First divergence at `tid_event_idx=4`: payload.return_value: canary=258 ours=0
**Pre-context (last 5 matching events):**
```
canary: [0] import.call KeWaitForSingleObject
ours: [0] import.call KeWaitForSingleObject
canary: [1] kernel.call KeWaitForSingleObject
ours: [1] kernel.call KeWaitForSingleObject
canary: [2] handle.create sid=c49d8f0ab90401ea
ours: [2] handle.create sid=6e3d96c5a52bf429
canary: [3] wait.begin {'handles_semantic_ids': ['c49d8f0ab90401ea'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
ours: [3] wait.begin {'handles_semantic_ids': ['6e3d96c5a52bf429'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
```
**Divergent event:**
```
canary: [4] kernel.return KeWaitForSingleObject
ours: [4] kernel.return KeWaitForSingleObject
```
**Next event after the divergence (if any):**
```
canary: [5] import.call RtlEnterCriticalSection
ours: <end of stream>
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1676368000, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 258, "side_effects": [], "status": "0x00000102"}, "schema_version": 1, "tid": 12, "tid_event_idx": 4}
{"deterministic": true, "engine": "ours", "guest_cycle": 30, "host_ns": 494789418, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 7, "tid_event_idx": 4}
```
## canary_tid=14 → ours_tid=9
First divergence at `tid_event_idx=41`: payload.ord: canary=503 ours=293
**Pre-context (last 5 matching events):**
```
canary: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
ours: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
canary: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
ours: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
canary: [38] import.call KfLowerIrql
ours: [38] import.call KfLowerIrql
canary: [39] kernel.call KfLowerIrql
ours: [39] kernel.call KfLowerIrql
canary: [40] kernel.return KfLowerIrql
ours: [40] kernel.return KfLowerIrql
```
**Divergent event:**
```
canary: [41] import.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [41] import.call RtlEnterCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [42] kernel.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [42] kernel.call RtlEnterCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1898677900, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "XAudioGetVoiceCategoryVolumeChangeMask", "ord": 503}, "schema_version": 1, "tid": 14, "tid_event_idx": 41}
{"deterministic": true, "engine": "ours", "guest_cycle": 417, "host_ns": 1694886289, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlEnterCriticalSection", "ord": 293}, "schema_version": 1, "tid": 9, "tid_event_idx": 41}
```
## canary_tid=15 → ours_tid=10
No divergence within the 16 compared events (canary has 11558, ours has 17).

137
audit-runs/phase-absorber-review/diff-no-nested-cs.md Normal file
View File

@@ -0,0 +1,137 @@
# Phase A diff report
**This report is the output of Phase A's diff harness. Divergences
shown here are INPUT for Phase B (first-divergence localization),
not findings of Phase A.** Phase A's job is to make the harness
itself correct, not to analyze what it surfaces.
## Summary
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at | floating_create (c/o) | floating_wait (c/o) |
|---|---|---|---|---|---|---|---|
| 4 | 11 | 11 | 2099 | 11 | — | 0/0 | 0/0 |
| 6 | 1 | 104607 | 119455 | 108507 | 104607 | 0/0 | 0/0 |
| 7 | 2 | 32 | 32 | 33 | — | 0/0 | 0/0 |
| 12 | 7 | 4 | 374 | 5 | 4 | 0/0 | 0/0 |
| 14 | 9 | 41 | 26901 | 77 | 41 | 0/0 | 0/0 |
| 15 | 10 | 16 | 11558 | 17 | — | 0/1 | 0/0 |
*`floating_create (c/o)` counts shared-global `handle.create` events absorbed by Phase C+18 cross-tid SID matching. `floating_wait (c/o)` counts `wait.begin` events on shared-global dispatchers absorbed by Phase C+21 (scheduling-jitter window — canary's contention slow path may fire while ours fast-paths or vice versa). See schema-v1.md §"Shared-global SIDs" and §"Wait-begin floating absorb".*
## canary_tid=4 → ours_tid=11
No divergence within the 11 compared events (canary has 2099, ours has 11).
## canary_tid=6 → ours_tid=1
First divergence at `tid_event_idx=104607`: payload.ord: canary=293 ours=304
**Pre-context (last 5 matching events):**
```
canary: [104602] kernel.call RtlLeaveCriticalSection
ours: [104602] kernel.call RtlLeaveCriticalSection
canary: [104603] kernel.return RtlLeaveCriticalSection
ours: [104603] kernel.return RtlLeaveCriticalSection
canary: [104604] import.call RtlEnterCriticalSection
ours: [104604] import.call RtlEnterCriticalSection
canary: [104605] kernel.call RtlEnterCriticalSection
ours: [104605] kernel.call RtlEnterCriticalSection
canary: [104606] kernel.return RtlEnterCriticalSection
ours: [104606] kernel.return RtlEnterCriticalSection
```
**Divergent event:**
```
canary: [104607] import.call RtlEnterCriticalSection
ours: [104607] import.call RtlLeaveCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [104608] kernel.call RtlEnterCriticalSection
ours: [104608] kernel.call RtlLeaveCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1559822200, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlEnterCriticalSection", "ord": 293}, "schema_version": 1, "tid": 6, "tid_event_idx": 104607}
{"deterministic": true, "engine": "ours", "guest_cycle": 5517276, "host_ns": 485474324, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlLeaveCriticalSection", "ord": 304}, "schema_version": 1, "tid": 1, "tid_event_idx": 104607}
```
## canary_tid=7 → ours_tid=2
No divergence within the 32 compared events (canary has 32, ours has 33).
## canary_tid=12 → ours_tid=7
First divergence at `tid_event_idx=4`: payload.return_value: canary=258 ours=0
**Pre-context (last 5 matching events):**
```
canary: [0] import.call KeWaitForSingleObject
ours: [0] import.call KeWaitForSingleObject
canary: [1] kernel.call KeWaitForSingleObject
ours: [1] kernel.call KeWaitForSingleObject
canary: [2] handle.create sid=c49d8f0ab90401ea
ours: [2] handle.create sid=6e3d96c5a52bf429
canary: [3] wait.begin {'handles_semantic_ids': ['c49d8f0ab90401ea'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
ours: [3] wait.begin {'handles_semantic_ids': ['6e3d96c5a52bf429'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
```
**Divergent event:**
```
canary: [4] kernel.return KeWaitForSingleObject
ours: [4] kernel.return KeWaitForSingleObject
```
**Next event after the divergence (if any):**
```
canary: [5] import.call RtlEnterCriticalSection
ours: <end of stream>
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1676368000, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 258, "side_effects": [], "status": "0x00000102"}, "schema_version": 1, "tid": 12, "tid_event_idx": 4}
{"deterministic": true, "engine": "ours", "guest_cycle": 30, "host_ns": 494789418, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 7, "tid_event_idx": 4}
```
## canary_tid=14 → ours_tid=9
First divergence at `tid_event_idx=41`: payload.ord: canary=503 ours=293
**Pre-context (last 5 matching events):**
```
canary: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
ours: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
canary: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
ours: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
canary: [38] import.call KfLowerIrql
ours: [38] import.call KfLowerIrql
canary: [39] kernel.call KfLowerIrql
ours: [39] kernel.call KfLowerIrql
canary: [40] kernel.return KfLowerIrql
ours: [40] kernel.return KfLowerIrql
```
**Divergent event:**
```
canary: [41] import.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [41] import.call RtlEnterCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [42] kernel.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [42] kernel.call RtlEnterCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1898677900, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "XAudioGetVoiceCategoryVolumeChangeMask", "ord": 503}, "schema_version": 1, "tid": 14, "tid_event_idx": 41}
{"deterministic": true, "engine": "ours", "guest_cycle": 417, "host_ns": 1694886289, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlEnterCriticalSection", "ord": 293}, "schema_version": 1, "tid": 9, "tid_event_idx": 41}
```
## canary_tid=15 → ours_tid=10
No divergence within the 16 compared events (canary has 11558, ours has 17).

163
audit-runs/phase-absorber-review/diff-no-shared-global.md Normal file
View File

@@ -0,0 +1,163 @@
# Phase A diff report
**This report is the output of Phase A's diff harness. Divergences
shown here are INPUT for Phase B (first-divergence localization),
not findings of Phase A.** Phase A's job is to make the harness
itself correct, not to analyze what it surfaces.
## Summary
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at | floating_create (c/o) | floating_wait (c/o) |
|---|---|---|---|---|---|---|---|
| 4 | 11 | 11 | 2099 | 11 | — | 0/0 | 0/0 |
| 6 | 1 | 105128 | 119455 | 108507 | 105128 | 0/0 | 1/0 |
| 7 | 2 | 32 | 32 | 33 | — | 0/0 | 0/0 |
| 12 | 7 | 4 | 374 | 5 | 4 | 0/0 | 0/0 |
| 14 | 9 | 41 | 26901 | 77 | 41 | 0/0 | 0/0 |
| 15 | 10 | 2 | 11558 | 17 | 2 | 0/0 | 1/0 |
*`floating_create (c/o)` counts shared-global `handle.create` events absorbed by Phase C+18 cross-tid SID matching. `floating_wait (c/o)` counts `wait.begin` events on shared-global dispatchers absorbed by Phase C+21 (scheduling-jitter window — canary's contention slow path may fire while ours fast-paths or vice versa). See schema-v1.md §"Shared-global SIDs" and §"Wait-begin floating absorb".*
## canary_tid=4 → ours_tid=11
No divergence within the 11 compared events (canary has 2099, ours has 11).
## canary_tid=6 → ours_tid=1
First divergence at `tid_event_idx=105128`: payload.ctx_ptr: canary='0xbe56bb3c' ours='0x42453b3c'
**Pre-context (last 5 matching events):**
```
canary: [105130] kernel.call KiApcNormalRoutineNop
ours: [105123] kernel.call KiApcNormalRoutineNop
canary: [105131] kernel.return KiApcNormalRoutineNop
ours: [105124] kernel.return KiApcNormalRoutineNop
canary: [105132] import.call ExCreateThread
ours: [105125] import.call ExCreateThread
canary: [105133] kernel.call ExCreateThread
ours: [105126] kernel.call ExCreateThread
canary: [105134] handle.create sid=17d8b2ba9dd4ba13
ours: [105127] handle.create sid=3562d07db6ff161d
```
**Divergent event:**
```
canary: [105135] thread.create {'handle_semantic_id': '17d8b2ba9dd4ba13', 'parent_tid': 6, 'entry_pc': '0x824cd458', 'ctx_ptr': '0xbe56bb3c', 'priority': 0, 'affinity': 4, 'stack_size': 32768, 'suspended': False}
ours: [105128] thread.create {'handle_semantic_id': '3562d07db6ff161d', 'parent_tid': 1, 'entry_pc': '0x824cd458', 'ctx_ptr': '0x42453b3c', 'priority': 0, 'affinity': 4, 'stack_size': 32768, 'suspended': False}
```
**Next event after the divergence (if any):**
```
canary: [105136] kernel.return ExCreateThread
ours: [105129] kernel.return ExCreateThread
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1644146200, "kind": "thread.create", "payload": {"affinity": 4, "ctx_ptr": "0xbe56bb3c", "entry_pc": "0x824cd458", "handle_semantic_id": "17d8b2ba9dd4ba13", "parent_tid": 6, "priority": 0, "stack_size": 32768, "suspended": false}, "schema_version": 1, "tid": 6, "tid_event_idx": 105135}
{"deterministic": true, "engine": "ours", "guest_cycle": 0, "host_ns": 494758288, "kind": "thread.create", "payload": {"affinity": 4, "ctx_ptr": "0x42453b3c", "entry_pc": "0x824cd458", "handle_semantic_id": "3562d07db6ff161d", "parent_tid": 1, "priority": 0, "stack_size": 32768, "suspended": false}, "schema_version": 1, "tid": 1, "tid_event_idx": 105128}
```
## canary_tid=7 → ours_tid=2
No divergence within the 32 compared events (canary has 32, ours has 33).
## canary_tid=12 → ours_tid=7
First divergence at `tid_event_idx=4`: payload.return_value: canary=258 ours=0
**Pre-context (last 5 matching events):**
```
canary: [0] import.call KeWaitForSingleObject
ours: [0] import.call KeWaitForSingleObject
canary: [1] kernel.call KeWaitForSingleObject
ours: [1] kernel.call KeWaitForSingleObject
canary: [2] handle.create sid=c49d8f0ab90401ea
ours: [2] handle.create sid=6e3d96c5a52bf429
canary: [3] wait.begin {'handles_semantic_ids': ['c49d8f0ab90401ea'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
ours: [3] wait.begin {'handles_semantic_ids': ['6e3d96c5a52bf429'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
```
**Divergent event:**
```
canary: [4] kernel.return KeWaitForSingleObject
ours: [4] kernel.return KeWaitForSingleObject
```
**Next event after the divergence (if any):**
```
canary: [5] import.call RtlEnterCriticalSection
ours: <end of stream>
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1676368000, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 258, "side_effects": [], "status": "0x00000102"}, "schema_version": 1, "tid": 12, "tid_event_idx": 4}
{"deterministic": true, "engine": "ours", "guest_cycle": 30, "host_ns": 494789418, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 7, "tid_event_idx": 4}
```
## canary_tid=14 → ours_tid=9
First divergence at `tid_event_idx=41`: payload.ord: canary=503 ours=293
**Pre-context (last 5 matching events):**
```
canary: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
ours: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
canary: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
ours: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
canary: [38] import.call KfLowerIrql
ours: [38] import.call KfLowerIrql
canary: [39] kernel.call KfLowerIrql
ours: [39] kernel.call KfLowerIrql
canary: [40] kernel.return KfLowerIrql
ours: [40] kernel.return KfLowerIrql
```
**Divergent event:**
```
canary: [41] import.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [41] import.call RtlEnterCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [42] kernel.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [42] kernel.call RtlEnterCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1898677900, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "XAudioGetVoiceCategoryVolumeChangeMask", "ord": 503}, "schema_version": 1, "tid": 14, "tid_event_idx": 41}
{"deterministic": true, "engine": "ours", "guest_cycle": 417, "host_ns": 1694886289, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlEnterCriticalSection", "ord": 293}, "schema_version": 1, "tid": 9, "tid_event_idx": 41}
```
## canary_tid=15 → ours_tid=10
First divergence at `tid_event_idx=2`: kind: canary='kernel.return' ours='handle.create'
**Pre-context (last 5 matching events):**
```
canary: [0] import.call KeWaitForSingleObject
ours: [0] import.call KeWaitForSingleObject
canary: [1] kernel.call KeWaitForSingleObject
ours: [1] kernel.call KeWaitForSingleObject
```
**Divergent event:**
```
canary: [3] kernel.return KeWaitForSingleObject
ours: [2] handle.create sid=ac8315b371bcf7cb
```
**Next event after the divergence (if any):**
```
canary: [4] import.call KeRaiseIrqlToDpcLevel
ours: [3] wait.begin {'handles_semantic_ids': ['ac8315b371bcf7cb'], 'timeout_ns': -1, 'alertable': False, 'wait_type': 'any'}
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1898852500, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 15, "tid_event_idx": 3}
{"deterministic": true, "engine": "ours", "guest_cycle": 0, "host_ns": 1625768976, "kind": "handle.create", "payload": {"handle_semantic_id": "ac8315b371bcf7cb", "object_name": null, "object_type": 3, "raw_handle_id": "0x828a3230"}, "schema_version": 1, "tid": 10, "tid_event_idx": 2}
```

137
audit-runs/phase-absorber-review/diff-no-wait-begin.md Normal file
View File

@@ -0,0 +1,137 @@
# Phase A diff report
**This report is the output of Phase A's diff harness. Divergences
shown here are INPUT for Phase B (first-divergence localization),
not findings of Phase A.** Phase A's job is to make the harness
itself correct, not to analyze what it surfaces.
## Summary
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at | floating_create (c/o) | floating_wait (c/o) |
|---|---|---|---|---|---|---|---|
| 4 | 11 | 11 | 2099 | 11 | — | 0/0 | 0/0 |
| 6 | 1 | 104616 | 119455 | 108507 | 104616 | 0/0 | 0/0 |
| 7 | 2 | 32 | 32 | 33 | — | 0/0 | 0/0 |
| 12 | 7 | 4 | 374 | 5 | 4 | 0/0 | 0/0 |
| 14 | 9 | 41 | 26901 | 77 | 41 | 0/0 | 0/0 |
| 15 | 10 | 16 | 11558 | 17 | — | 0/1 | 0/0 |
*`floating_create (c/o)` counts shared-global `handle.create` events absorbed by Phase C+18 cross-tid SID matching. `floating_wait (c/o)` counts `wait.begin` events on shared-global dispatchers absorbed by Phase C+21 (scheduling-jitter window — canary's contention slow path may fire while ours fast-paths or vice versa). See schema-v1.md §"Shared-global SIDs" and §"Wait-begin floating absorb".*
## canary_tid=4 → ours_tid=11
No divergence within the 11 compared events (canary has 2099, ours has 11).
## canary_tid=6 → ours_tid=1
First divergence at `tid_event_idx=104616`: kind: canary='wait.begin' ours='kernel.return'
**Pre-context (last 5 matching events):**
```
canary: [104617] kernel.call NtClose
ours: [104611] kernel.call NtClose
canary: [104618] handle.destroy sid=648cb0d5adfa9125
ours: [104612] handle.destroy sid=f02c5bda6f21992e
canary: [104619] kernel.return NtClose
ours: [104613] kernel.return NtClose
canary: [104620] import.call RtlEnterCriticalSection
ours: [104614] import.call RtlEnterCriticalSection
canary: [104621] kernel.call RtlEnterCriticalSection
ours: [104615] kernel.call RtlEnterCriticalSection
```
**Divergent event:**
```
canary: [104622] wait.begin {'handles_semantic_ids': ['a25a16a4f6f547aa'], 'timeout_ns': -1, 'alertable': False, 'wait_type': 'any'}
ours: [104616] kernel.return RtlEnterCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [104623] kernel.return RtlEnterCriticalSection
ours: [104617] import.call RtlLeaveCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1560019200, "kind": "wait.begin", "payload": {"alertable": false, "handles_semantic_ids": ["a25a16a4f6f547aa"], "timeout_ns": -1, "wait_type": "any"}, "schema_version": 1, "tid": 6, "tid_event_idx": 104622}
{"deterministic": true, "engine": "ours", "guest_cycle": 5517445, "host_ns": 485504625, "kind": "kernel.return", "payload": {"name": "RtlEnterCriticalSection", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 1, "tid_event_idx": 104616}
```
## canary_tid=7 → ours_tid=2
No divergence within the 32 compared events (canary has 32, ours has 33).
## canary_tid=12 → ours_tid=7
First divergence at `tid_event_idx=4`: payload.return_value: canary=258 ours=0
**Pre-context (last 5 matching events):**
```
canary: [0] import.call KeWaitForSingleObject
ours: [0] import.call KeWaitForSingleObject
canary: [1] kernel.call KeWaitForSingleObject
ours: [1] kernel.call KeWaitForSingleObject
canary: [2] handle.create sid=c49d8f0ab90401ea
ours: [2] handle.create sid=6e3d96c5a52bf429
canary: [3] wait.begin {'handles_semantic_ids': ['c49d8f0ab90401ea'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
ours: [3] wait.begin {'handles_semantic_ids': ['6e3d96c5a52bf429'], 'timeout_ns': -30000000, 'alertable': False, 'wait_type': 'any'}
```
**Divergent event:**
```
canary: [4] kernel.return KeWaitForSingleObject
ours: [4] kernel.return KeWaitForSingleObject
```
**Next event after the divergence (if any):**
```
canary: [5] import.call RtlEnterCriticalSection
ours: <end of stream>
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1676368000, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 258, "side_effects": [], "status": "0x00000102"}, "schema_version": 1, "tid": 12, "tid_event_idx": 4}
{"deterministic": true, "engine": "ours", "guest_cycle": 30, "host_ns": 494789418, "kind": "kernel.return", "payload": {"name": "KeWaitForSingleObject", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 7, "tid_event_idx": 4}
```
## canary_tid=14 → ours_tid=9
First divergence at `tid_event_idx=41`: payload.ord: canary=503 ours=293
**Pre-context (last 5 matching events):**
```
canary: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
ours: [36] kernel.call KeReleaseSpinLockFromRaisedIrql
canary: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
ours: [37] kernel.return KeReleaseSpinLockFromRaisedIrql
canary: [38] import.call KfLowerIrql
ours: [38] import.call KfLowerIrql
canary: [39] kernel.call KfLowerIrql
ours: [39] kernel.call KfLowerIrql
canary: [40] kernel.return KfLowerIrql
ours: [40] kernel.return KfLowerIrql
```
**Divergent event:**
```
canary: [41] import.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [41] import.call RtlEnterCriticalSection
```
**Next event after the divergence (if any):**
```
canary: [42] kernel.call XAudioGetVoiceCategoryVolumeChangeMask
ours: [42] kernel.call RtlEnterCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 1898677900, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "XAudioGetVoiceCategoryVolumeChangeMask", "ord": 503}, "schema_version": 1, "tid": 14, "tid_event_idx": 41}
{"deterministic": true, "engine": "ours", "guest_cycle": 417, "host_ns": 1694886289, "kind": "import.call", "payload": {"module": "xboxkrnl.exe", "name": "RtlEnterCriticalSection", "ord": 293}, "schema_version": 1, "tid": 9, "tid_event_idx": 41}
```
## canary_tid=15 → ours_tid=10
No divergence within the 16 compared events (canary has 11558, ours has 17).