fabi/xenia-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes

Browse Source 
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO):
- xenia-kernel/exports.rs: nt_create_event manual_reset polarity +
  related event wiring
- xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity

Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the
iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps
(.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as
regenerable local artifacts — see memory + HANDOFF for the running findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-06-05 07:19:08 +02:00
parent acd1656753
commit ef93a4fa14
620 changed files with 108303 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
audit-runs/phase-c-first-divergence/classification.md Normal file
View File

@@ -0,0 +1,111 @@
# Phase C — first-divergence classification
## The raw first byte-diff
| | |
|---|---|
| Guest VA | `0x82000600` |
| File offset | `0x00000600` |
| Section | `.rdata` (start of section, virtual_address = 0x600) |
| canary byte | `0xde` (start of `de ad c0 de` poison pattern) |
| ours byte | `0x00` |
| .pe byte | `0x00` |
## The diff is the xam.xex variable-import slot table
`xex.json` lists 52 `record_type=0` imports for `xam.xex`, each at a
sequential 4-byte slot starting at `address = 0x82000600`:
```
xam.xex ord=652 rt=0 addr=0x82000600
xam.xex ord=700 rt=0 addr=0x82000604
xam.xex ord=705 rt=0 addr=0x82000608
xam.xex ord=725 rt=0 addr=0x8200060c
...
```
The next 20452 = 152 `record_type=0` slots are for `xboxkrnl.exe`,
continuing at `0x820006D0..0x82000934`.
## What each engine writes at these slots
| | record_type=0 (var slot, 4 bytes) | record_type=1 (thunk, 16 bytes) |
|---|---|---|
| canary | `de ad c0 de` (poison sentinel) | host-shim bytes: `44 00 00 42 / 4e 80 00 20 / 60 00 00 00 / 60 00 00 00` (`sc; blr; nop; nop`) |
| ours | `00 00 00 00` (zero) | leaves .pe bytes in place (`01 00 ord_hi ord_lo / 02 00 ord_hi ord_lo / mtspr ctr,r11 / bctr`) |
| .pe | XEX import-record tag: `00 00 ord_hi ord_lo` | template thunk: `01 00 ord_hi ord_lo / 02 00 ord_hi ord_lo / mtspr ctr,r11 / bctr` |
## Classification: **import-thunk / ε-class allocator drift**
This matches **tripstone #2** of the Phase C brief verbatim:
> Import thunks are legitimately engine-specific. If first byte-diff is
> in a thunk, canonicalize and re-find first diff.
The two engines implement different HLE dispatch strategies:
- **canary**: in-place thunk patching. Overwrites the guest XEX bytes
with host-shim instructions; record_type=0 slots get `0xDEADC0DE`
poison (canary panics if a guest dereferences an unimplemented import
variable).
- **ours**: HLE dispatch happens at the JIT translation layer, not by
patching the thunk. Record_type=1 thunks keep their original `.pe`
bytes; record_type=0 slots get zeroed (still distinguishable from
the .pe ordinal-tag content if guest code reads them).
Both are valid engine implementation choices.
## After canonicalization — the real check
Mask all import-slot bytes (record_type=0 = 4 bytes per slot,
record_type=1 = 16 bytes per slot, total 3920 bytes across 398 slots)
to `0xCD` in canary, ours, AND .pe. Then compare:
```
canary canonical sha256: 62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96
ours canonical sha256: 62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96
pe canonical sha256: 62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96
```
**All three match.** Bytes differing canonical: **0**.
## Conclusion
There is **NO real engine divergence** at the image-load layer.
- Both engines decode the XEX2 file correctly.
- Both load it into guest memory at the correct virtual addresses.
- Both produce byte-identical content outside the import-patch region.
- Even .pe (an independent third-party offline XEX2 decoder) produces
the exact same canonical content.
The Phase B `image_loaded_sha256` δ-content-STOP was a **false positive**
caused by an overly strict invariant: hashing engine-specific runtime
patches as if they were XEX content.
## What the fix is
The fix is in the **comparison framework**, not the engines:
1. `diff_state.py`: relaxed STOP invariant — when `--xex-json` is
provided AND both snapshots contain `image.bin`, compute and check
`image_canonical_sha256` (engine-mask agnostic) as the real STOP
key. The raw `image_loaded_sha256` is still reported but is
informational.
2. `phase_b_snapshot.{rs,cc}`: when `phase_b_dump_section_content` is
set, emit `image.bin` (raw bytes of the XEX image region) so the
diff tool can perform canonicalization. Default-off; cvar-OFF
binary digest is byte-identical to pre-Phase-C baseline.
## What this implies for downstream divergences
The Phase B catalog's 57 remaining divergences (post-image-load) are
still meaningful — they describe real differences in stack/PCR/TLS
allocation strategy, heap layout, kernel-object population, and
exports-table state. These are now interpretable on a verified
canonically-equivalent image baseline.
The Phase A diff's first runtime divergence at `tid_event_idx=113`
(`KeQuerySystemTime return_value`) is the next Phase C+1 target. It
is **not** a downstream symptom of the image-load mismatch; it is the
next genuine engine divergence in the kernel-call sequence.

10
audit-runs/phase-c-first-divergence/digest-cvaroff-1.json Normal file
View File

@@ -0,0 +1,10 @@
{
"instructions": 50000001,
"imports": 40454,
"unimpl": 0,
"draws": 0,
"swaps": 1,
"unique_render_targets": 0,
"shader_blobs_live": 0,
"texture_cache_entries": 0
}

10
audit-runs/phase-c-first-divergence/digest-cvaroff-2.json Normal file
View File

@@ -0,0 +1,10 @@
{
"instructions": 50000001,
"imports": 40454,
"unimpl": 0,
"draws": 0,
"swaps": 1,
"unique_render_targets": 0,
"shader_blobs_live": 0,
"texture_cache_entries": 0
}

10
audit-runs/phase-c-first-divergence/digest-cvaroff-3.json Normal file
View File

@@ -0,0 +1,10 @@
{
"instructions": 50000001,
"imports": 40454,
"unimpl": 0,
"draws": 0,
"swaps": 1,
"unique_render_targets": 0,
"shader_blobs_live": 0,
"texture_cache_entries": 0
}

45
audit-runs/phase-c-first-divergence/first-diff-report.md Normal file
View File

@@ -0,0 +1,45 @@
# Phase C — first byte-diff report
- canary image.bin: snap-001/canary/image.bin (9568256 bytes)
- ours image.bin: snap-001/ours/image.bin (9568256 bytes)
- pe reference: /home/fabi/RE - Project Sylpheed/Project Sylpheed - Arc of Deception (USA, Europe) (En,Ja).pe (9568256 bytes)
- image_base: 0x82000000
- import-slot ranges (merged): 3, bytes=3920
## Raw byte hashes
- canary sha256: `a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c`
- ours sha256: `ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18`
- pe sha256: `9be5f5621c517c78a451245eca25d54388af741ed20e669b2f78438aaa429e72`
## Pass 1 — raw byte-diff (uncanonicalized)
- first byte-diff at off=0x00000600 VA=0x82000600
- classification: .rdata (off=+0x0 into section)
- canary byte: 0xde
- ours byte: 0x00
- pe ref byte: 0x00
context canary: `00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 de ad c0 de de ad c0 de de ad c0 de de ad c0 de de`
context ours : `00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
context pe : `00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 8c 00 00 02 bc 00 00 02 c1 00 00 02 d5 00`
## Pass 2 — canonicalized (import slots masked to 0xCD)
- canary canonical sha256: `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96`
- ours canonical sha256: `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96`
- pe canonical sha256: `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96`
- **canary == ours canonical match ✅**
- the image_loaded_sha256 mismatch is **fully explained** by legitimate engine-specific import-thunk patches.
- NO real engine divergence at this layer.
## Pass 3 — engine vs .pe ground truth (canonicalized)
- canary canonical == pe canonical ✅
- ours canonical == pe canonical ✅
## Summary
- bytes differing raw: 3704
- bytes differing canonical: 0
- import-slot mask bytes: 3920

259
audit-runs/phase-c-first-divergence/first-diff.py Normal file
View File

@@ -0,0 +1,259 @@
#!/usr/bin/env python3
"""Phase C — first byte-diff between two engines' loaded XEX images.
Inputs:
--canary PATH canary's image.bin (loaded XEX bytes)
--ours PATH ours's image.bin
--pe PATH third-party reference: extracted .pe (xex-extract output)
--xex-json PATH xex.json metadata (used for section names AND import-slot
canonicalization — record_type=0 slots are 4 bytes,
record_type=1 thunks are 16 bytes)
--image-base HEX guest VA base of image (default 0x82000000)
Two passes:
1) Raw byte-diff. Reports first diff between canary and ours.
2) Canonicalized byte-diff. Masks XEX import slots (legitimate
engine-specific runtime patches per tripstone #2) and reports the
first remaining diff — that's the candidate REAL divergence.
If canonical pass shows no remaining diffs, the engines load the XEX
into byte-identical state and the original sha256 mismatch is fully
explained by import patches.
"""
import argparse
import json
import struct
import sys
PE_SLOT_RT0 = 4 # variable-import slot is 4 bytes (one BE u32)
PE_SLOT_RT1 = 16 # thunk slot is 16 bytes (lis+li+mtctr+bctr or shim)
def collect_import_ranges(xex_meta: dict) -> list:
"""Return list of (start_va, end_va) covering every XEX import slot."""
ranges = []
for lib in xex_meta["import_libraries"]:
for imp in lib["imports"]:
addr = imp["address"]
rt = imp["record_type"]
if rt == 0:
ranges.append((addr, addr + PE_SLOT_RT0))
elif rt == 1:
ranges.append((addr, addr + PE_SLOT_RT1))
return ranges
def merge_ranges(ranges: list) -> list:
if not ranges:
return []
ranges = sorted(ranges)
merged = [list(ranges[0])]
for s, e in ranges[1:]:
if s <= merged[-1][1]:
merged[-1][1] = max(merged[-1][1], e)
else:
merged.append([s, e])
return [tuple(p) for p in merged]
def canonicalize(image: bytes, ranges_va: list, image_base: int) -> bytes:
"""Return a copy of image with import-slot byte ranges replaced by 0xCD.
0xCD is the Win32 'uninitialized stack' marker — a sentinel that's
extremely unlikely to occur naturally so any leakage is visible.
"""
buf = bytearray(image)
for sva, eva in ranges_va:
s = sva - image_base
e = eva - image_base
if s < 0 or e > len(buf):
continue
for i in range(s, e):
buf[i] = 0xCD
return bytes(buf)
def find_first_diff(a: bytes, b: bytes) -> int:
n = min(len(a), len(b))
block = 1 << 16
for off in range(0, n, block):
end = min(off + block, n)
if a[off:end] != b[off:end]:
for i in range(off, end):
if a[i] != b[i]:
return i
if len(a) != len(b):
return n
return -1
def find_diff_runs(a: bytes, b: bytes, max_runs: int = 16) -> list:
n = min(len(a), len(b))
runs = []
i = 0
while i < n and len(runs) < max_runs:
if a[i] != b[i]:
j = i
while j < n and a[j] != b[j]:
j += 1
runs.append((i, j))
i = j
else:
i += 1
return runs
def classify_offset(off: int, sections: list) -> str:
for s in sections:
vstart = s["virtual_address"]
vend = vstart + s["virtual_size"]
if vstart <= off < vend:
return f'{s["name"]} (off=+{off - vstart:#x} into section)'
if sections and off < sections[0]["virtual_address"]:
return f'PE header (before first section va=0x{sections[0]["virtual_address"]:x})'
return f'unmapped (past last section)'
def hex_context(buf: bytes, off: int, radius: int = 16) -> str:
lo = max(0, off - radius)
hi = min(len(buf), off + radius + 1)
return " ".join(f"{b:02x}" for b in buf[lo:hi])
def sha256_hex(data: bytes) -> str:
import hashlib
return hashlib.sha256(data).hexdigest()
def main() -> int:
ap = argparse.ArgumentParser()
ap.add_argument("--canary", required=True)
ap.add_argument("--ours", required=True)
ap.add_argument("--pe", required=True)
ap.add_argument("--xex-json", required=True)
ap.add_argument("--image-base", default="0x82000000")
ap.add_argument("--out", help="optional report path")
args = ap.parse_args()
image_base = int(args.image_base, 16)
canary = open(args.canary, "rb").read()
ours = open(args.ours, "rb").read()
pe = open(args.pe, "rb").read()
meta = json.load(open(args.xex_json))
sections_sorted = sorted(meta["sections"], key=lambda s: s["virtual_address"])
import_ranges_va = merge_ranges(collect_import_ranges(meta))
report = []
p = report.append
p("# Phase C — first byte-diff report")
p("")
p(f"- canary image.bin: {args.canary} ({len(canary)} bytes)")
p(f"- ours image.bin: {args.ours} ({len(ours)} bytes)")
p(f"- pe reference: {args.pe} ({len(pe)} bytes)")
p(f"- image_base: {args.image_base}")
p(f"- import-slot ranges (merged): {len(import_ranges_va)}, "
f"bytes={sum(e - s for s, e in import_ranges_va)}")
p("")
p("## Raw byte hashes")
p(f"- canary sha256: `{sha256_hex(canary)}`")
p(f"- ours sha256: `{sha256_hex(ours)}`")
p(f"- pe sha256: `{sha256_hex(pe)}`")
p("")
# ---- Pass 1: raw diff ----
p("## Pass 1 — raw byte-diff (uncanonicalized)")
p("")
first = find_first_diff(canary, ours)
if first == -1:
p("- canary == ours ✅ (no raw diff)")
else:
va = image_base + first
p(f"- first byte-diff at off=0x{first:08x} VA=0x{va:08x}")
p(f"- classification: {classify_offset(first, sections_sorted)}")
p(f"- canary byte: 0x{canary[first]:02x}")
p(f"- ours byte: 0x{ours[first]:02x}")
if first < len(pe):
p(f"- pe ref byte: 0x{pe[first]:02x}")
p("")
p(f"context canary: `{hex_context(canary, first)}`")
p(f"context ours : `{hex_context(ours, first)}`")
p(f"context pe : `{hex_context(pe, first)}`")
p("")
# ---- Pass 2: canonicalized diff ----
can_canon = canonicalize(canary, import_ranges_va, image_base)
ours_canon = canonicalize(ours, import_ranges_va, image_base)
pe_canon = canonicalize(pe, import_ranges_va, image_base)
p("## Pass 2 — canonicalized (import slots masked to 0xCD)")
p("")
p(f"- canary canonical sha256: `{sha256_hex(can_canon)}`")
p(f"- ours canonical sha256: `{sha256_hex(ours_canon)}`")
p(f"- pe canonical sha256: `{sha256_hex(pe_canon)}`")
p("")
first_canon = find_first_diff(can_canon, ours_canon)
if first_canon == -1:
p("- **canary == ours canonical match ✅**")
p("- the image_loaded_sha256 mismatch is **fully explained** by "
"legitimate engine-specific import-thunk patches.")
p("- NO real engine divergence at this layer.")
else:
va = image_base + first_canon
p(f"- first canonical byte-diff at off=0x{first_canon:08x} VA=0x{va:08x}")
p(f"- classification: {classify_offset(first_canon, sections_sorted)}")
p(f"- canary byte: 0x{can_canon[first_canon]:02x}")
p(f"- ours byte: 0x{ours_canon[first_canon]:02x}")
if first_canon < len(pe_canon):
pb = pe_canon[first_canon]
p(f"- pe ref byte: 0x{pb:02x}")
cmw = can_canon[first_canon] == pb
omw = ours_canon[first_canon] == pb
if cmw and not omw:
p("- verdict: **ours is wrong** at this byte (canary == .pe)")
elif omw and not cmw:
p("- verdict: **canary is wrong** at this byte (ours == .pe)")
else:
p("- verdict: neither matches .pe — possible relocation patch or .pe stale")
p("")
# Cross-check vs .pe
p("## Pass 3 — engine vs .pe ground truth (canonicalized)")
p("")
first_c_vs_pe = find_first_diff(can_canon, pe_canon)
first_o_vs_pe = find_first_diff(ours_canon, pe_canon)
if first_c_vs_pe == -1:
p("- canary canonical == pe canonical ✅")
else:
p(f"- canary != pe first at off=0x{first_c_vs_pe:08x} VA=0x{image_base + first_c_vs_pe:08x} "
f"({classify_offset(first_c_vs_pe, sections_sorted)})")
if first_o_vs_pe == -1:
p("- ours canonical == pe canonical ✅")
else:
p(f"- ours != pe first at off=0x{first_o_vs_pe:08x} VA=0x{image_base + first_o_vs_pe:08x} "
f"({classify_offset(first_o_vs_pe, sections_sorted)})")
p("")
# Summary
raw_diff_count = sum(1 for i in range(min(len(canary), len(ours))) if canary[i] != ours[i])
canon_diff_count = sum(
1 for i in range(min(len(can_canon), len(ours_canon))) if can_canon[i] != ours_canon[i]
)
p("## Summary")
p("")
p(f"- bytes differing raw: {raw_diff_count}")
p(f"- bytes differing canonical: {canon_diff_count}")
p(f"- import-slot mask bytes: "
f"{sum(e - s for s, e in import_ranges_va)}")
text = "\n".join(report)
if args.out:
open(args.out, "w").write(text + "\n")
print(text)
return 0 if (first_canon == -1) else 1
if __name__ == "__main__":
sys.exit(main())

78
audit-runs/phase-c-first-divergence/fix.diff Normal file
View File

@@ -0,0 +1,78 @@
# Phase C — fix patch
The fix is in the **diff/snapshot infrastructure**, not in either
engine's XEX loader. No engine bug was found; the Phase B STOP
invariant was over-strict.
## Files modified
1. `xenia-rs/tools/diff-state/diff_state.py` — relaxed STOP invariant.
When `--xex-json` is supplied AND both snapshots have `image.bin`,
compute `image_canonical_sha256` (XEX import slots masked) and check
that as the STOP key. The raw `image_loaded_sha256` is reported but
informational.
2. `xenia-rs/crates/xenia-kernel/src/phase_b_snapshot.rs` — when
`phase_b_dump_section_content` is set, also write `image.bin` with
raw bytes of the XEX-image region. Default-off; inert when cvar OFF
(cvar-OFF digest byte-identical to pre-Phase-C baseline).
3. `xenia-canary/src/xenia/kernel/phase_b_snapshot.cc` — same.
## Diff (relative to pre-Phase-C state)
Generated via `git diff --no-index` against an unmodified baseline. The
full unified diffs are below; see also re-validation.md for proof both
engines still build and all gates pass.
--- /dev/fd/63 2026-05-13 22:41:06.597568277 +0200
+++ /dev/fd/62 2026-05-13 22:41:06.596568265 +0200
@@ -1,2 +1,25 @@
let _ = write_file(&engine_dir.join("manifest.json"), &body);
+
+ // Phase C: when dump_section_content is on, write raw bytes of the
+ // XEX image region to <engine_dir>/image.bin. This is the only
+ // region positionally matched between canary and ours, so it's the
+ // only one suitable for byte-level diff.
+ if state.phase_b_dump_section_content && state.image_base != 0 {
+ let mut sz: u32 = 0;
+ let mut a = state.image_base;
+ while mem.is_mapped(a) {
+ sz = sz.wrapping_add(4096);
+ let next = a.wrapping_add(4096);
+ if next < a {
+ break;
+ }
+ a = next;
+ }
+ if sz > 0 {
+ let bytes = read_bytes(mem, state.image_base, sz);
+ if let Err(e) = std::fs::write(engine_dir.join("image.bin"), &bytes) {
+ tracing::warn!("phase_b_snapshot: image.bin write failed: {}", e);
+ }
+ }
+ }
}
---canary phase_b_snapshot.cc change (only the appended block):
// Phase C: when dump_section_content is on, write raw bytes of the
// XEX image region to <engine_dir>/image.bin. This is the only
// region positionally matched between canary and ours, so it's the
// only one suitable for byte-level diff.
if (cvars::phase_b_dump_section_content) {
auto exec_module = kstate->GetExecutableModule();
if (exec_module) {
uint32_t image_base = exec_module->xex_module()->base_address();
uint32_t image_size = exec_module->xex_module()->image_size();
uint8_t* host =
kstate->memory()->TranslateVirtual<uint8_t*>(image_base);
if (host && image_size > 0) {
std::filesystem::path ip = engine_dir / "image.bin";
std::FILE* bf = std::fopen(ip.string().c_str(), "wb");
if (bf) {
std::fwrite(host, 1, image_size, bf);
std::fflush(bf);
std::fclose(bf);
}
}
}
}
}

83
audit-runs/phase-c-first-divergence/ground-truth.md Normal file
View File

@@ -0,0 +1,83 @@
# Phase C — ground-truth reference
## Third reference: the pre-extracted `.pe`
- Path: `/home/fabi/RE - Project Sylpheed/Project Sylpheed - Arc of Deception (USA, Europe) (En,Ja).pe`
- SHA-256: `9be5f5621c517c78a451245eca25d54388af741ed20e669b2f78438aaa429e72`
- Size: 9568256 bytes == `xex_image_size`
- `file(1)`: `PE32 executable (XBOX) PowerPC (big-endian), for MS Windows, 14 sections`
## Provenance
Generated by `tools/xex-extract/` (Rust tool in this workspace). The tool:
1. Parses the XEX2 header from the ISO's `default.xex`
2. Decrypts the encrypted body using XEX2 retail AES-128 key
3. Decompresses (LZX for normal-compressed XEXs)
4. Verifies `MZ` PE signature
5. Writes the resulting raw PE image to `<stem>.pe`
The tool is **completely independent of both canary and ours** — it is
an offline XEX2 decoder with its own AES + LZX implementations. This
makes the `.pe` file a true third reference for the post-decode XEX
content.
## Layout
The `.pe` file is a **flat virtual image**: byte offset N in the file
corresponds to guest VA `image_base + N` = `0x82000000 + N`. Verified
by sampling:
- offset 0x000000: `4d 5a 90 00 ...` → MZ DOS header at image_base ✓
- offset 0x150000 (= `.text` virtual_address): `7d 88 02 a6 ...` → PPC
`mflr r12` function prologue ✓
- offset 0x910800 (= `.reloc` virtual_address): `0c aa 8f f6 ...` → PE
base-relocation block records ✓
- offset 0x144C00 (= `.text` raw_offset, but ≠ virtual_address):
`00 00 ... 00` → padding gap (zero), confirming raw-offset is NOT
the layout key in this file ✓
This means the engines' loaded image at `[0x82000000, 0x82920000)`
should match `.pe` byte-for-byte **modulo** runtime patches (import
slots, relocations).
## What `.pe` represents
The `.pe` is the **post-decode pre-patch** XEX content. It contains:
- PE headers (DOS+NT+section table)
- Each section's raw bytes laid out at its virtual address
- XEX import-record markers at the slot addresses listed in the XEX
import table (record_type=0 → 4-byte u32 BE ordinal; record_type=1 →
16-byte thunk template `01 00 ord_hi ord_lo / 02 00 ord_hi ord_lo /
mtspr ctr,r11 / bctr`)
- Base relocations in `.reloc` (not applied)
It does NOT contain:
- Runtime import-slot patches (variable addresses, thunk shim bytes)
- Applied base relocations
- Any per-engine runtime state
## Verification this session
Computed `image_canonical_sha256` (XEX import slots masked to 0xCD) over
all three:
| source | canonical sha256 |
|---|---|
| canary loaded image | `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96` |
| ours loaded image | `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96` |
| .pe pre-patch | `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96` |
All three match. This is the strongest possible evidence that:
1. Both engines decode the XEX2 file to the same canonical content.
2. The .pe reference is correctly aligned to engine-loaded virtual VA.
3. There is no XEX-decode bug in either engine at this layer.
## Conclusion
`.pe` is **validated as ground truth** for the post-decode XEX image
content at `[image_base, image_base + image_size)`, modulo runtime
patches.

48
audit-runs/phase-c-first-divergence/phase-a/diff-report.md Normal file
View File

@@ -0,0 +1,48 @@
# Phase A diff report
**This report is the output of Phase A's diff harness. Divergences
shown here are INPUT for Phase B (first-divergence localization),
not findings of Phase A.** Phase A's job is to make the harness
itself correct, not to analyze what it surfaces.
## Summary
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at |
|---|---|---|---|---|---|
| 6 | 1 | 113 | 329948 | 93048 | 113 |
## canary_tid=6 → ours_tid=1
First divergence at `tid_event_idx=113`: payload.return_value: canary=0 ours=1880095840
**Pre-context (last 5 matching events):**
```
canary: [108] import.call RtlLeaveCriticalSection
ours: [108] import.call RtlLeaveCriticalSection
canary: [109] kernel.call RtlLeaveCriticalSection
ours: [109] kernel.call RtlLeaveCriticalSection
canary: [110] kernel.return RtlLeaveCriticalSection
ours: [110] kernel.return RtlLeaveCriticalSection
canary: [111] import.call KeQuerySystemTime
ours: [111] import.call KeQuerySystemTime
canary: [112] kernel.call KeQuerySystemTime
ours: [112] kernel.call KeQuerySystemTime
```
**Divergent event:**
```
canary: [113] kernel.return KeQuerySystemTime
ours: [113] kernel.return KeQuerySystemTime
```
**Next event after the divergence (if any):**
```
canary: [114] import.call RtlInitializeCriticalSection
ours: [114] import.call RtlInitializeCriticalSection
```
**Raw events (JSON):**
```json
{"deterministic": true, "engine": "canary", "guest_cycle": 0, "host_ns": 17344300, "kind": "kernel.return", "payload": {"name": "KeQuerySystemTime", "return_value": 0, "side_effects": [], "status": "0x00000000"}, "schema_version": 1, "tid": 6, "tid_event_idx": 113}
{"deterministic": true, "engine": "ours", "guest_cycle": 9415, "host_ns": 73190351, "kind": "kernel.return", "payload": {"name": "KeQuerySystemTime", "return_value": 1880095840, "side_effects": [], "status": "0x700ffc60"}, "schema_version": 1, "tid": 1, "tid_event_idx": 113}
```

583
audit-runs/phase-c-first-divergence/post-fix-diff-report.json Normal file
View File

@@ -0,0 +1,583 @@
{
"divergences": [
{
"canary": "0x00000000701d0000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x00000000700fff00",
"path": "gpr[1]"
},
{
"canary": "0x0000000030028000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x000000007fff0000",
"path": "gpr[13]"
},
{
"canary": "0x0000000000000000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x00000000bcbcbcbc",
"path": "lr"
},
{
"canary": "0x30028000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x7fff0000",
"path": "pcr_base"
},
{
"canary": "0x701d0000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x00000000",
"path": "stack_base"
},
{
"canary": "0x70150000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x00000000",
"path": "stack_limit"
},
{
"canary": 6,
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": 1,
"path": "thread_id"
},
{
"canary": "0x30027000",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "0x00000000",
"path": "tls_base"
},
{
"canary": "00000000000000000000000000000100",
"class": "gamma-kernel-content",
"file": "cpu_state.json",
"kind": "value",
"ours": "00000000000000000000000000010000",
"path": "vscr"
},
{
"canary": null,
"class": "sigma-structural",
"file": "memory.json",
"kind": "extra-field",
"ours": [],
"path": "regions_walked"
},
{
"canary": 2466,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 2594,
"path": "committed_pages_total"
},
{
"canary": 261991,
"class": "sigma-structural",
"file": "memory.json",
"kind": "missing-field",
"ours": null,
"path": "heaps[base=0x00000000].page_state_histogram.free"
},
{
"canary": 153,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 0,
"path": "heaps[base=0x00000000].page_state_histogram.committed"
},
{
"canary": 65536,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 4096,
"path": "heaps[base=0x40000000].page_size"
},
{
"canary": 16098,
"class": "sigma-structural",
"file": "memory.json",
"kind": "missing-field",
"ours": null,
"path": "heaps[base=0x40000000].page_state_histogram.free"
},
{
"canary": 30,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 263,
"path": "heaps[base=0x40000000].page_state_histogram.committed"
},
{
"canary": "0x3f000000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x40000000",
"path": "heaps[base=0x40000000].size"
},
{
"canary": 65536,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 4096,
"path": "heaps[base=0x80000000].page_size"
},
{
"canary": 3950,
"class": "sigma-structural",
"file": "memory.json",
"kind": "missing-field",
"ours": null,
"path": "heaps[base=0x80000000].page_state_histogram.free"
},
{
"canary": 146,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 2336,
"path": "heaps[base=0x80000000].page_state_histogram.committed"
},
{
"canary": "0x10000000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x40000000",
"path": "heaps[base=0x80000000].size"
},
{
"canary": 65536,
"class": "sigma-structural",
"file": "memory.json",
"kind": "missing-field",
"ours": null,
"path": "heaps[base=0x90000000].page_state_histogram.free"
},
{
"canary": null,
"class": "sigma-structural",
"file": "memory.json",
"kind": "extra-field",
"ours": 0,
"path": "heaps[base=0x90000000].page_state_histogram.committed"
},
{
"canary": "0x10000000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x40000000",
"path": "heaps[base=0x90000000].size"
},
{
"canary": 4096,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 1048576,
"path": "regions[0].byte_count"
},
{
"canary": "0x30028000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x70100000",
"path": "regions[0].end"
},
{
"canary": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"path": "regions[0].sha256"
},
{
"canary": "0x30027000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x70000000",
"path": "regions[0].start"
},
{
"canary": "0x30029000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7ffe1000",
"path": "regions[1].end"
},
{
"canary": "2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"path": "regions[1].sha256"
},
{
"canary": "0x30028000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7ffe0000",
"path": "regions[1].start"
},
{
"canary": 524288,
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": 4096,
"path": "regions[2].byte_count"
},
{
"canary": "0x701d0000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7fff1000",
"path": "regions[2].end"
},
{
"canary": "07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"path": "regions[2].sha256"
},
{
"canary": "0x70150000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7fff0000",
"path": "regions[2].start"
},
{
"canary": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"path": "regions[3].sha256"
},
{
"canary": "0x30028000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x70100000",
"path": "section_contents[0].end"
},
{
"canary": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"path": "section_contents[0].sha256"
},
{
"canary": "0x30027000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x70000000",
"path": "section_contents[0].start"
},
{
"canary": "0x30029000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7ffe1000",
"path": "section_contents[1].end"
},
{
"canary": "2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"path": "section_contents[1].sha256"
},
{
"canary": "0x30028000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7ffe0000",
"path": "section_contents[1].start"
},
{
"canary": "0x701d0000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7fff1000",
"path": "section_contents[2].end"
},
{
"canary": "07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"path": "section_contents[2].sha256"
},
{
"canary": "0x70150000",
"class": "gamma-kernel-content",
"file": "memory.json",
"kind": "value",
"ours": "0x7fff0000",
"path": "section_contents[2].start"
},
{
"canary": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"class": "delta-content",
"file": "memory.json",
"kind": "value",
"ours": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"path": "section_contents[3].sha256"
},
{
"canary": 0,
"class": "sigma-structural",
"file": "kernel.json",
"kind": "seq-length",
"ours": 32,
"path": "exports_registered_sample"
},
{
"canary": "0000000000000000000000000000000000000000000000000000000000000000",
"class": "delta-content",
"file": "kernel.json",
"kind": "value",
"ours": "bb97815f82b2313c9eaa07bf80dab47c5c23408c24203a1283dfb2aba1e84e09",
"path": "exports_registered_sha256"
},
{
"canary": "0d6236cd0677766b",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=0d6236cd0677766b]"
},
{
"canary": "0d8cd68a54c991e3",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=0d8cd68a54c991e3]"
},
{
"canary": "0db6fd47a31adfc0",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=0db6fd47a31adfc0]"
},
{
"canary": "0e8c94fa2ab636b3",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=0e8c94fa2ab636b3]"
},
{
"canary": "20b2d85926bc7b11",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=20b2d85926bc7b11]"
},
{
"canary": "20b37f5926bd96d6",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=20b37f5926bd96d6]"
},
{
"canary": "20de1f16750fb24e",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=20de1f16750fb24e]"
},
{
"canary": "89cc99291d29ed5c",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=89cc99291d29ed5c]"
},
{
"canary": "8d4ce6ee5f4e68af",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=8d4ce6ee5f4e68af]"
},
{
"canary": "8d7786abada08427",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=8d7786abada08427]"
},
{
"canary": "a0c8cf37cde6a492",
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "missing-from-ours",
"ours": null,
"path": "objects[handle_semantic_id=a0c8cf37cde6a492]"
},
{
"canary": null,
"class": "gamma-kernel-content",
"file": "kernel.json",
"kind": "extra-in-ours",
"ours": "9879c5053fedb1d0",
"path": "objects[handle_semantic_id=9879c5053fedb1d0]"
},
{
"canary": 0,
"class": "gamma-kernel-content",
"file": "vfs.json",
"kind": "type-mismatch",
"ours": null,
"path": "resolve_path_probes[0].size"
},
{
"canary": true,
"class": "gamma-kernel-content",
"file": "vfs.json",
"kind": "type-mismatch",
"ours": null,
"path": "resolve_path_probes[2].is_directory"
},
{
"canary": true,
"class": "gamma-kernel-content",
"file": "vfs.json",
"kind": "value",
"ours": false,
"path": "resolve_path_probes[2].resolved"
},
{
"canary": 4096,
"class": "gamma-kernel-content",
"file": "vfs.json",
"kind": "type-mismatch",
"ours": null,
"path": "resolve_path_probes[2].size"
},
{
"canary": 0,
"class": "gamma-kernel-content",
"file": "vfs.json",
"kind": "type-mismatch",
"ours": null,
"path": "resolve_path_probes[6].size"
},
{
"canary": "",
"class": "sigma-structural",
"file": "config.json",
"kind": "missing-field",
"ours": null,
"path": "cvars.phase_a_event_log_path"
},
{
"canary": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"class": "delta-content",
"file": "config.json",
"kind": "value",
"ours": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"path": "image_loaded_sha256"
},
{
"canary": "ccf935d24a74e002",
"class": "delta-content",
"file": "config.json",
"kind": "value",
"ours": "0000000000000000000000000000000000000000000000000000000000000000",
"path": "xex_header_sha256"
}
],
"file_status": {
"config.json": "diverged",
"cpu_state.json": "diverged",
"kernel.json": "diverged",
"memory.json": "diverged",
"vfs.json": "diverged"
},
"invariants": [
{
"canary": "0x824ab748",
"name": "xex_entry_point",
"ok": true,
"ours": "0x824ab748"
},
{
"canary": "0x824ab748 == 0x824ab748",
"name": "cpu_state.pc == xex_entry_point",
"ok": true,
"ours": "0x824ab748 == 0x824ab748"
},
{
"canary": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"name": "image_loaded_sha256 (raw)",
"ok": false,
"ours": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18"
},
{
"canary": "62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96",
"name": "image_canonical_sha256",
"ok": true,
"ours": "62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96"
}
],
"schema_version": 1,
"stop": false
}

104
audit-runs/phase-c-first-divergence/post-fix-diff-report.md Normal file
View File

@@ -0,0 +1,104 @@
# Phase B snapshot diff
- canary snapshot: `audit-runs/phase-c-first-divergence/snap-001/canary`
- ours snapshot: `audit-runs/phase-c-first-divergence/snap-001/ours`
## Invariants (HARD GATE)
| invariant | canary | ours | ok? |
|---|---|---|---|
| xex_entry_point | `0x824ab748` | `0x824ab748` | PASS |
| cpu_state.pc == xex_entry_point | `0x824ab748 == 0x824ab748` | `0x824ab748 == 0x824ab748` | PASS |
| image_loaded_sha256 (raw) | `a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c` | `ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18` | FAIL |
| image_canonical_sha256 | `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96` | `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96` | PASS |
## File-level summary
| file | status | divergence count by class |
|---|---|---|
| cpu_state.json | diverged | gamma-kernel-content=9 |
| memory.json | diverged | sigma-structural=6 delta-content=8 gamma-kernel-content=23 |
| kernel.json | diverged | sigma-structural=1 delta-content=1 gamma-kernel-content=12 |
| vfs.json | diverged | gamma-kernel-content=5 |
| config.json | diverged | sigma-structural=1 delta-content=2 |
## σ-structural divergences (priority 1)
- **memory.json** `regions_walked`: kind=`extra-field` canary=`None` ours=`[]`
- **memory.json** `heaps[base=0x00000000].page_state_histogram.free`: kind=`missing-field` canary=`261991` ours=`None`
- **memory.json** `heaps[base=0x40000000].page_state_histogram.free`: kind=`missing-field` canary=`16098` ours=`None`
- **memory.json** `heaps[base=0x80000000].page_state_histogram.free`: kind=`missing-field` canary=`3950` ours=`None`
- **memory.json** `heaps[base=0x90000000].page_state_histogram.free`: kind=`missing-field` canary=`65536` ours=`None`
- **memory.json** `heaps[base=0x90000000].page_state_histogram.committed`: kind=`extra-field` canary=`None` ours=`0`
- **kernel.json** `exports_registered_sample`: kind=`seq-length` canary=`0` ours=`32`
- **config.json** `cvars.phase_a_event_log_path`: kind=`missing-field` canary=`''` ours=`None`
## δ-content divergences (priority 2)
- **memory.json** `regions[0].sha256`: kind=`value` canary=`'ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7'` ours=`'30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58'`
- **memory.json** `regions[1].sha256`: kind=`value` canary=`'2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3'` ours=`'ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7'`
- **memory.json** `regions[2].sha256`: kind=`value` canary=`'07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541'` ours=`'e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a'`
- **memory.json** `regions[3].sha256`: kind=`value` canary=`'a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c'` ours=`'ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18'`
- **memory.json** `section_contents[0].sha256`: kind=`value` canary=`'ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7'` ours=`'30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58'`
- **memory.json** `section_contents[1].sha256`: kind=`value` canary=`'2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3'` ours=`'ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7'`
- **memory.json** `section_contents[2].sha256`: kind=`value` canary=`'07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541'` ours=`'e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a'`
- **memory.json** `section_contents[3].sha256`: kind=`value` canary=`'a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c'` ours=`'ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18'`
- **kernel.json** `exports_registered_sha256`: kind=`value` canary=`'0000000000000000000000000000000000000000000000000000000000000000'` ours=`'bb97815f82b2313c9eaa07bf80dab47c5c23408c24203a1283dfb2aba1e84e09'`
- **config.json** `image_loaded_sha256`: kind=`value` canary=`'a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c'` ours=`'ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18'`
- **config.json** `xex_header_sha256`: kind=`value` canary=`'ccf935d24a74e002'` ours=`'0000000000000000000000000000000000000000000000000000000000000000'`
## γ-kernel-content divergences (priority 2)
- **cpu_state.json** `gpr[1]`: kind=`value` canary=`'0x00000000701d0000'` ours=`'0x00000000700fff00'`
- **cpu_state.json** `gpr[13]`: kind=`value` canary=`'0x0000000030028000'` ours=`'0x000000007fff0000'`
- **cpu_state.json** `lr`: kind=`value` canary=`'0x0000000000000000'` ours=`'0x00000000bcbcbcbc'`
- **cpu_state.json** `pcr_base`: kind=`value` canary=`'0x30028000'` ours=`'0x7fff0000'`
- **cpu_state.json** `stack_base`: kind=`value` canary=`'0x701d0000'` ours=`'0x00000000'`
- **cpu_state.json** `stack_limit`: kind=`value` canary=`'0x70150000'` ours=`'0x00000000'`
- **cpu_state.json** `thread_id`: kind=`value` canary=`6` ours=`1`
- **cpu_state.json** `tls_base`: kind=`value` canary=`'0x30027000'` ours=`'0x00000000'`
- **cpu_state.json** `vscr`: kind=`value` canary=`'00000000000000000000000000000100'` ours=`'00000000000000000000000000010000'`
- **memory.json** `committed_pages_total`: kind=`value` canary=`2466` ours=`2594`
- **memory.json** `heaps[base=0x00000000].page_state_histogram.committed`: kind=`value` canary=`153` ours=`0`
- **memory.json** `heaps[base=0x40000000].page_size`: kind=`value` canary=`65536` ours=`4096`
- **memory.json** `heaps[base=0x40000000].page_state_histogram.committed`: kind=`value` canary=`30` ours=`263`
- **memory.json** `heaps[base=0x40000000].size`: kind=`value` canary=`'0x3f000000'` ours=`'0x40000000'`
- **memory.json** `heaps[base=0x80000000].page_size`: kind=`value` canary=`65536` ours=`4096`
- **memory.json** `heaps[base=0x80000000].page_state_histogram.committed`: kind=`value` canary=`146` ours=`2336`
- **memory.json** `heaps[base=0x80000000].size`: kind=`value` canary=`'0x10000000'` ours=`'0x40000000'`
- **memory.json** `heaps[base=0x90000000].size`: kind=`value` canary=`'0x10000000'` ours=`'0x40000000'`
- **memory.json** `regions[0].byte_count`: kind=`value` canary=`4096` ours=`1048576`
- **memory.json** `regions[0].end`: kind=`value` canary=`'0x30028000'` ours=`'0x70100000'`
- **memory.json** `regions[0].start`: kind=`value` canary=`'0x30027000'` ours=`'0x70000000'`
- **memory.json** `regions[1].end`: kind=`value` canary=`'0x30029000'` ours=`'0x7ffe1000'`
- **memory.json** `regions[1].start`: kind=`value` canary=`'0x30028000'` ours=`'0x7ffe0000'`
- **memory.json** `regions[2].byte_count`: kind=`value` canary=`524288` ours=`4096`
- **memory.json** `regions[2].end`: kind=`value` canary=`'0x701d0000'` ours=`'0x7fff1000'`
- **memory.json** `regions[2].start`: kind=`value` canary=`'0x70150000'` ours=`'0x7fff0000'`
- **memory.json** `section_contents[0].end`: kind=`value` canary=`'0x30028000'` ours=`'0x70100000'`
- **memory.json** `section_contents[0].start`: kind=`value` canary=`'0x30027000'` ours=`'0x70000000'`
- **memory.json** `section_contents[1].end`: kind=`value` canary=`'0x30029000'` ours=`'0x7ffe1000'`
- **memory.json** `section_contents[1].start`: kind=`value` canary=`'0x30028000'` ours=`'0x7ffe0000'`
- **memory.json** `section_contents[2].end`: kind=`value` canary=`'0x701d0000'` ours=`'0x7fff1000'`
- **memory.json** `section_contents[2].start`: kind=`value` canary=`'0x70150000'` ours=`'0x7fff0000'`
- **kernel.json** `objects[handle_semantic_id=0d6236cd0677766b]`: kind=`missing-from-ours` canary=`'0d6236cd0677766b'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=0d8cd68a54c991e3]`: kind=`missing-from-ours` canary=`'0d8cd68a54c991e3'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=0db6fd47a31adfc0]`: kind=`missing-from-ours` canary=`'0db6fd47a31adfc0'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=0e8c94fa2ab636b3]`: kind=`missing-from-ours` canary=`'0e8c94fa2ab636b3'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=20b2d85926bc7b11]`: kind=`missing-from-ours` canary=`'20b2d85926bc7b11'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=20b37f5926bd96d6]`: kind=`missing-from-ours` canary=`'20b37f5926bd96d6'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=20de1f16750fb24e]`: kind=`missing-from-ours` canary=`'20de1f16750fb24e'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=89cc99291d29ed5c]`: kind=`missing-from-ours` canary=`'89cc99291d29ed5c'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=8d4ce6ee5f4e68af]`: kind=`missing-from-ours` canary=`'8d4ce6ee5f4e68af'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=8d7786abada08427]`: kind=`missing-from-ours` canary=`'8d7786abada08427'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=a0c8cf37cde6a492]`: kind=`missing-from-ours` canary=`'a0c8cf37cde6a492'` ours=`None`
- **kernel.json** `objects[handle_semantic_id=9879c5053fedb1d0]`: kind=`extra-in-ours` canary=`None` ours=`'9879c5053fedb1d0'`
- **vfs.json** `resolve_path_probes[0].size`: kind=`type-mismatch` canary=`0` ours=`None`
- **vfs.json** `resolve_path_probes[2].is_directory`: kind=`type-mismatch` canary=`True` ours=`None`
- **vfs.json** `resolve_path_probes[2].resolved`: kind=`value` canary=`True` ours=`False`
- **vfs.json** `resolve_path_probes[2].size`: kind=`type-mismatch` canary=`4096` ours=`None`
- **vfs.json** `resolve_path_probes[6].size`: kind=`type-mismatch` canary=`0` ours=`None`
## Phase C handoff
Suggested attack order: σ first (structural), then γ ranked by object type (Thread > Event > Semaphore > Mutex > Timer > File > Other), then δ. ε and τ are catalog-only.

159
audit-runs/phase-c-first-divergence/re-validation.md Normal file
View File

@@ -0,0 +1,159 @@
# Phase C — re-validation gate suite
Per session brief, all gates must pass before declaring Phase C done.
## Gate 1 — cvar-OFF determinism (HARD)
**Requirement**: ours's `check --stable-digest` digest must be
reproducible across 3 runs AND byte-identical to the pre-Phase-C
baseline (no behavior change when Phase A/B/C cvars are off).
```
$ for i in 1 2 3; do ./target/release/xenia-rs-phaseC check --stable-digest \
-n 50000000 --out audit-runs/phase-c-first-divergence/digest-cvaroff-$i.json \
"<ISO>" >/dev/null; done
$ md5sum audit-runs/phase-c-first-divergence/digest-cvaroff-*.json \
audit-runs/phase-ab-verify/digest-current-cvaroff.json
608d8e8d293250698207a7d8fc0c18df digest-cvaroff-1.json
608d8e8d293250698207a7d8fc0c18df digest-cvaroff-2.json
608d8e8d293250698207a7d8fc0c18df digest-cvaroff-3.json
608d8e8d293250698207a7d8fc0c18df pre-Phase-C baseline
```
**Status: ✅ PASS** — 3 runs byte-identical to pre-Phase-C baseline.
Confirms the Phase C engine changes (image.bin dump) are fully inert
when cvar OFF.
## Gate 2 — Phase B re-snap reproducibility (HARD)
**Requirement**: re-running ours Phase B snapshot with identical args
should produce byte-identical snapshot files (per Phase B's gate 3).
```
$ ./target/release/xenia-rs-phaseC exec \
--phase-b-snapshot-dir audit-runs/phase-c-first-divergence/snap-002 \
--phase-b-dump-section-content --phase-b-snapshot-and-exit --quiet "<ISO>"
$ md5sum snap-001/ours/{cpu_state,kernel,memory,vfs}.json snap-001/ours/image.bin \
snap-002/ours/{cpu_state,kernel,memory,vfs}.json snap-002/ours/image.bin
# All matching pairs: e93461a5… / 42567413… / 904f3339… / be7fa7ba… / 889bbd79…
$ python3 tools/diff-state/diff_state.py \
--canary snap-001/ours --ours snap-002/ours \
--xex-json <xex.json> --validate-identical
validate-identical: OK
```
**Status: ✅ PASS** — image.bin reproduces byte-identical
(`889bbd79fe7f4355c70cf7f45098f8f4`); all snapshot JSON files
(cpu_state, kernel, memory, vfs) byte-identical across runs. Only
config.json + manifest.json differ (expected: contains the snapshot
dir path which is deterministic_skip'd).
## Gate 3 — Phase A diff matched prefix ≥ 113 (HARD)
**Requirement**: re-running Phase A's event-log diff must show a
matched kernel.call prefix ≥ the original 113.
```
$ ./target/release/xenia-rs-phaseC exec --phase-a-event-log ours.jsonl \
-n 5000000 --quiet "<ISO>"
$ timeout 25 wine ./xenia_canary_phaseC.exe --mute=true \
--phase_a_event_log_path="<WP>" "<ISO>"
$ python3 tools/diff-events/diff_events.py \
--canary canary.jsonl --ours ours.jsonl --out diff-report.md
```
Result from `diff-report.md`:
```
| canary_tid | ours_tid | matched | canary_total | ours_total | first_divergence_at |
|---|---|---|---|---|---|
| 6 | 1 | 113 | 329948 | 93048 | 113 |
```
First divergence at `tid_event_idx=113`:
`payload.return_value: canary=0 ours=1880095840` (KeQuerySystemTime).
**Status: ✅ PASS** — matched prefix = 113, byte-identical to
pre-Phase-C baseline. Phase C did not regress the matched prefix.
(Expected: Phase C did not change engine behavior, only comparison
tooling.)
## HARD GATE — image-load equivalence (Phase B STOP invariant)
**Requirement**: after fix, the engines' loaded XEX images must be
canonically byte-identical (or the first byte-diff must move to a
strictly later guest VA).
```
$ python3 tools/diff-state/diff_state.py \
--canary snap-001/canary --ours snap-001/ours \
--xex-json <xex.json> --out post-fix-diff-report.md
| invariant | canary | ours | ok? |
|---|---|---|---|
| xex_entry_point | 0x824ab748 | 0x824ab748 | PASS |
| cpu_state.pc == xex_entry_point | 0x824ab748 == 0x824ab748 | 0x824ab748 == 0x824ab748 | PASS |
| image_loaded_sha256 (raw) | a70993b7… | ea8d160e… | FAIL |
| image_canonical_sha256 | 62c51908… | 62c51908… | PASS |
```
**Status: ✅ HARD GATE PASSES**`image_canonical_sha256` matches
between engines. The raw-hash mismatch is now correctly reported as
informational rather than STOP.
The diff tool's exit code dropped from 2 (STOP) to 1 (advisory
divergences), confirming the invariant downgrade is correct.
## Build status
```
$ cargo build --release
Finished `release` profile [optimized] target(s) in 7.27s
$ cmake --build xenia-canary/build-cross --preset cross-debug --target xenia-app
[3/3] Linking CXX executable bin/Windows/Debug/xenia_canary.exe
```
**Status: ✅ both engines compile cleanly**, no warnings introduced.
## Summary table
| gate | status |
|---|---|
| 1. cvar-OFF determinism (3 ours runs, baseline match) | ✅ PASS |
| 2. Phase B re-snap reproducibility (validate-identical) | ✅ PASS |
| 3. Phase A matched prefix ≥ 113 | ✅ PASS (matched=113) |
| HARD: image_canonical_sha256 match | ✅ PASS |
| Build: ours + canary | ✅ PASS |
| Tests: cargo unit tests | (not re-run, since the change is additive instrumentation and existing tests pass per Phase A/B verify run) |
## Residual divergences (Phase C+1 input)
`post-fix-diff-report.md` exit code 1 → 68 advisory divergences:
- **cpu_state.json (9 γ)**: gpr[1], gpr[13], lr, pcr_base, stack_base,
stack_limit, thread_id, tls_base, vscr — all reflect ε-class
allocator drift (different stack/PCR/TLS addresses chosen by each
engine's allocator). Catalog-only.
- **memory.json (37)**: 6 σ-structural (free-page histogram fields
present in one engine but not the other), 8 δ-content (region SHA
changes due to different VAs hashed), 23 γ-kernel-content (heap size
and page-size differences — ours uses 4K pages everywhere, canary
uses 64K for some heaps). ε-class allocator strategy difference.
- **kernel.json (14)**: 1 σ-structural (`exports_registered_sample`),
1 δ-content (`exports_registered_sha256`), 12 γ-kernel-content
(thread/event/file objects only in canary or only in ours — boot
thread choices differ).
- **vfs.json (5 γ)**: probe-resolved differences (canary resolves
`\Device\HardDisk0\Partition1` and various probes that ours does
not).
- **config.json (3)**: 1 σ + 2 δ (cvars + xex_header_sha — ours emits
zero, canary emits 16-hex chars).
The Phase A first runtime divergence at `tid_event_idx=113`
(`KeQuerySystemTime return_value: canary=0 ours=1880095840`) is the
next attack target.

26
audit-runs/phase-c-first-divergence/snap-001/canary/config.json Normal file
View File

@@ -0,0 +1,26 @@
{
"schema_version": 1,
"engine": "canary",
"build_id": "canary-phaseB",
"iso_path": "\\Device\\Cdrom0\\default.xex",
"xex_entry_point": "0x824ab748",
"xex_image_base": "0x82000000",
"xex_image_size": 9568256,
"image_loaded_sha256": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"xex_header_sha256": "ccf935d24a74e002",
"cvars": {
"phase_a_event_log_path": "",
"phase_b_dump_section_content": true,
"phase_b_snapshot_and_exit": true,
"phase_b_snapshot_dir": "Z:\\home\\fabi\\RE - Project Sylpheed\\xenia-rs\\audit-runs\\phase-c-first-divergence\\snap-001"
},
"wall_clock_iso8601": "epoch:1778704216",
"host_ns_at_snapshot": 0,
"deterministic_skip": [
"host_ns_at_snapshot",
"wall_clock_iso8601",
"build_id",
"iso_path",
"cvars.phase_b_snapshot_dir"
]
}

234
audit-runs/phase-c-first-divergence/snap-001/canary/cpu_state.json Normal file
View File

@@ -0,0 +1,234 @@
{
"schema_version": 1,
"engine": "canary",
"pc": "0x824ab748",
"lr": "0x0000000000000000",
"ctr": "0x0000000000000000",
"msr": "0x0000000000009030",
"vrsave": "0xffffffff",
"fpscr": "0x00000000",
"xer": {
"ca": 0,
"ov": 0,
"so": 0,
"tbc": 0
},
"cr": [
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0"
],
"gpr": [
"0x0000000000000000",
"0x00000000701d0000",
"0x0000000020000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000030028000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"fpr": [
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"vr": [
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000"
],
"vscr": "00000000000000000000000000000100",
"thread_id": 6,
"hw_id": 0,
"stack_base": "0x701d0000",
"stack_limit": "0x70150000",
"tls_base": "0x30027000",
"pcr_base": "0x30028000",
"deterministic_skip": [
"hw_id"
]
}

151
audit-runs/phase-c-first-divergence/snap-001/canary/kernel.json Normal file
View File

@@ -0,0 +1,151 @@
{
"schema_version": 1,
"engine": "canary",
"objects": [
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x00000000",
"is_entry_thread": false,
"priority": 0,
"stack_size": 131072,
"suspended": false,
"thread_id": 3
},
"handle_semantic_id": "0d6236cd0677766b",
"name": null,
"raw_handle_id": "0x01000018",
"type": "Thread",
"type_code": 5
},
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x00000000",
"is_entry_thread": false,
"priority": 0,
"stack_size": 131072,
"suspended": false,
"thread_id": 1
},
"handle_semantic_id": "0d8cd68a54c991e3",
"name": null,
"raw_handle_id": "0x01000010",
"type": "Thread",
"type_code": 5
},
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x824ab748",
"is_entry_thread": true,
"priority": 13,
"stack_size": 524288,
"suspended": false,
"thread_id": 6
},
"handle_semantic_id": "0db6fd47a31adfc0",
"name": null,
"raw_handle_id": "0xf8000008",
"type": "Thread",
"type_code": 5
},
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x00000000",
"is_entry_thread": false,
"priority": 5,
"stack_size": 131072,
"suspended": false,
"thread_id": 5
},
"handle_semantic_id": "0e8c94fa2ab636b3",
"name": null,
"raw_handle_id": "0x01000020",
"type": "Thread",
"type_code": 5
},
{
"details": {},
"handle_semantic_id": "20b2d85926bc7b11",
"name": null,
"raw_handle_id": "0xf8000004",
"type": "Module",
"type_code": 8
},
{
"details": {},
"handle_semantic_id": "20b37f5926bd96d6",
"name": null,
"raw_handle_id": "0x01000004",
"type": "Module",
"type_code": 8
},
{
"details": {},
"handle_semantic_id": "20de1f16750fb24e",
"name": null,
"raw_handle_id": "0x0100000c",
"type": "Module",
"type_code": 8
},
{
"details": {},
"handle_semantic_id": "89cc99291d29ed5c",
"name": null,
"raw_handle_id": "0xf8000000",
"type": "Event",
"type_code": 1
},
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x00000000",
"is_entry_thread": false,
"priority": 5,
"stack_size": 131072,
"suspended": false,
"thread_id": 4
},
"handle_semantic_id": "8d4ce6ee5f4e68af",
"name": null,
"raw_handle_id": "0x0100001c",
"type": "Thread",
"type_code": 5
},
{
"details": {
"ctx_ptr": "0x00000000",
"entry_pc": "0x00000000",
"is_entry_thread": false,
"priority": 0,
"stack_size": 131072,
"suspended": false,
"thread_id": 2
},
"handle_semantic_id": "8d7786abada08427",
"name": null,
"raw_handle_id": "0x01000014",
"type": "Thread",
"type_code": 5
},
{
"details": {},
"handle_semantic_id": "a0c8cf37cde6a492",
"name": null,
"raw_handle_id": "0x01000008",
"type": "Module",
"type_code": 8
}
],
"handle_name_table": [],
"notification_listeners": [],
"exports_registered_count": 0,
"exports_registered_sample": [],
"exports_registered_sha256": "0000000000000000000000000000000000000000000000000000000000000000",
"deterministic_skip": [
"raw_handle_id",
"exports_registered_count"
]
}

11
audit-runs/phase-c-first-divergence/snap-001/canary/manifest.json Normal file
View File

@@ -0,0 +1,11 @@
{
"schema_version": 1,
"engine": "canary",
"files": {
"config.json": "6f1369b1743ba754bdff1c06d62c762e3e6108d6ed0d877f2151cb606e94f40d",
"cpu_state.json": "b57464533ac776df8d9f752678bca1a9ba7df77adc896eb313766952a50326dd",
"kernel.json": "78affa1cbb3bc93402a9c0e8686c9a632a5ce0b676999e68aad05e972b0dbc7b",
"memory.json": "50f4dae2642a71d83b7c58e0fa26d1164f7a4df2327ba6e589f6fd42d521d161",
"vfs.json": "93a5ee2826dc85d0d2c0559287a096b2d52e1f84fef8921ad024a1ca18c445ff"
}
}

111
audit-runs/phase-c-first-divergence/snap-001/canary/memory.json Normal file
View File

@@ -0,0 +1,111 @@
{
"schema_version": 1,
"engine": "canary",
"page_size": 4096,
"guest_address_space_bytes": 4294967296,
"heaps": [
{
"base": "0x00000000",
"name": "v00000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 153,
"free": 261991
},
"size": "0x40000000"
},
{
"base": "0x40000000",
"name": "v40000000",
"page_size": 65536,
"page_state_histogram": {
"committed": 30,
"free": 16098
},
"size": "0x3f000000"
},
{
"base": "0x80000000",
"name": "v80000000",
"page_size": 65536,
"page_state_histogram": {
"committed": 146,
"free": 3950
},
"size": "0x10000000"
},
{
"base": "0x90000000",
"name": "v90000000",
"page_size": 4096,
"page_state_histogram": {
"free": 65536
},
"size": "0x10000000"
}
],
"regions": [
{
"byte_count": 4096,
"end": "0x30028000",
"protect": 0,
"section_kind": null,
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x30027000"
},
{
"byte_count": 4096,
"end": "0x30029000",
"protect": 0,
"section_kind": null,
"sha256": "2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3",
"start": "0x30028000"
},
{
"byte_count": 524288,
"end": "0x701d0000",
"protect": 0,
"section_kind": null,
"sha256": "07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541",
"start": "0x70150000"
},
{
"byte_count": 9568256,
"end": "0x82920000",
"protect": 0,
"section_kind": null,
"sha256": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"start": "0x82000000"
}
],
"committed_pages_total": 2466,
"section_contents": [
{
"content_b64": "",
"end": "0x30028000",
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x30027000"
},
{
"content_b64": "",
"end": "0x30029000",
"sha256": "2390751521f95a4c513da387bc2ee8a82c5b9261bfc565be5e108fafbda61cf3",
"start": "0x30028000"
},
{
"content_b64": "",
"end": "0x701d0000",
"sha256": "07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541",
"start": "0x70150000"
},
{
"content_b64": "",
"end": "0x82920000",
"sha256": "a70993b77ca9e29218d033fad7c0b45c874676c4e0edd966545d39b266486a9c",
"start": "0x82000000"
}
],
"deterministic_skip": [
"host_base_pointer"
]
}

71
audit-runs/phase-c-first-divergence/snap-001/canary/vfs.json Normal file
View File

@@ -0,0 +1,71 @@
{
"schema_version": 1,
"engine": "canary",
"resolve_path_probes": [
{
"is_directory": true,
"path": "\\Device\\Cdrom0",
"resolved": true,
"size": 0
},
{
"is_directory": true,
"path": "\\Device\\Cdrom0\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": true,
"path": "\\Device\\Cdrom0\\dat\\movie",
"resolved": true,
"size": 4096
},
{
"is_directory": null,
"path": "\\Device\\Cdrom0\\dat\\movie\\opening.bik",
"resolved": false,
"size": null
},
{
"is_directory": false,
"path": "\\Device\\Cdrom0\\default.xex",
"resolved": true,
"size": 3497984
},
{
"is_directory": null,
"path": "\\Device\\HardDisk0\\Partition1",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "cache:\\",
"resolved": true,
"size": 0
},
{
"is_directory": null,
"path": "cache:\\nonexistent_probe",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "game:\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": false,
"path": "game:\\default.xex",
"resolved": true,
"size": 3497984
}
],
"mounted_devices_observed_count": 1,
"cache_root_listing": [],
"deterministic_skip": [
"host_path_realpath"
]
}

25
audit-runs/phase-c-first-divergence/snap-001/ours/config.json Normal file
View File

@@ -0,0 +1,25 @@
{
"build_id": "ours-phaseB",
"cvars": {
"phase_b_dump_section_content": true,
"phase_b_snapshot_and_exit": true,
"phase_b_snapshot_dir": "audit-runs/phase-c-first-divergence/snap-001"
},
"deterministic_skip": [
"host_ns_at_snapshot",
"wall_clock_iso8601",
"build_id",
"iso_path",
"cvars.phase_b_snapshot_dir"
],
"engine": "ours",
"host_ns_at_snapshot": 0,
"image_loaded_sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"iso_path": "",
"schema_version": 1,
"wall_clock_iso8601": "epoch:0",
"xex_entry_point": "0x824ab748",
"xex_header_sha256": "0000000000000000000000000000000000000000000000000000000000000000",
"xex_image_base": "0x82000000",
"xex_image_size": 9568256
}

234
audit-runs/phase-c-first-divergence/snap-001/ours/cpu_state.json Normal file
View File

@@ -0,0 +1,234 @@
{
"cr": [
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0"
],
"ctr": "0x0000000000000000",
"deterministic_skip": [
"hw_id"
],
"engine": "ours",
"fpr": [
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"fpscr": "0x00000000",
"gpr": [
"0x0000000000000000",
"0x00000000700fff00",
"0x0000000020000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x000000007fff0000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"hw_id": 0,
"lr": "0x00000000bcbcbcbc",
"msr": "0x0000000000009030",
"pc": "0x824ab748",
"pcr_base": "0x7fff0000",
"schema_version": 1,
"stack_base": "0x00000000",
"stack_limit": "0x00000000",
"thread_id": 1,
"tls_base": "0x00000000",
"vr": [
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000"
],
"vrsave": "0xffffffff",
"vscr": "00000000000000000000000000010000",
"xer": {
"ca": 0,
"ov": 0,
"so": 0,
"tbc": 0
}
}

62
audit-runs/phase-c-first-divergence/snap-001/ours/kernel.json Normal file
View File

@@ -0,0 +1,62 @@
{
"deterministic_skip": [
"raw_handle_id",
"exports_registered_count"
],
"engine": "ours",
"exports_registered_count": 199,
"exports_registered_sample": [
"xam.xex!NetDll_WSACleanup",
"xam.xex!NetDll_WSAStartup",
"xam.xex!XGetAVPack",
"xam.xex!XGetGameRegion",
"xam.xex!XGetLanguage",
"xam.xex!XGetVideoMode",
"xam.xex!XMsgInProcessCall",
"xam.xex!XMsgStartIORequest",
"xam.xex!XMsgStartIORequestEx",
"xam.xex!XNotifyGetNext",
"xam.xex!XNotifyPositionUI",
"xam.xex!XamAlloc",
"xam.xex!XamContentClose",
"xam.xex!XamContentCreate",
"xam.xex!XamContentCreateEnumerator",
"xam.xex!XamContentDelete",
"xam.xex!XamContentGetCreator",
"xam.xex!XamContentGetDeviceData",
"xam.xex!XamContentGetDeviceName",
"xam.xex!XamContentGetDeviceState",
"xam.xex!XamContentSetThumbnail",
"xam.xex!XamEnableInactivityProcessing",
"xam.xex!XamEnumerate",
"xam.xex!XamFree",
"xam.xex!XamGetExecutionId",
"xam.xex!XamGetSystemVersion",
"xam.xex!XamInputGetCapabilities",
"xam.xex!XamInputGetKeystrokeEx",
"xam.xex!XamInputGetState",
"xam.xex!XamInputSetState",
"xam.xex!XamLoaderLaunchTitle",
"xam.xex!XamLoaderTerminateTitle"
],
"exports_registered_sha256": "bb97815f82b2313c9eaa07bf80dab47c5c23408c24203a1283dfb2aba1e84e09",
"handle_name_table": [],
"notification_listeners": [],
"objects": [
{
"details": {
"entry_pc": "0x824ab748",
"exit_code": null,
"hw_id": 0,
"is_entry_thread": true,
"thread_id": 1
},
"handle_semantic_id": "9879c5053fedb1d0",
"name": null,
"raw_handle_id": "0x00001000",
"type": "Thread",
"type_code": 5
}
],
"schema_version": 1
}

11
audit-runs/phase-c-first-divergence/snap-001/ours/manifest.json Normal file
View File

@@ -0,0 +1,11 @@
{
"engine": "ours",
"files": {
"config.json": "55d9f7c8a7de618f4b4d159ce375a2191ebdb105bf3c8ca87e8c6d74b96751c1",
"cpu_state.json": "4e6df54ca1939d08854f3a52b49ed2c5ee0823d63cdecad8a7395203dac5443a",
"kernel.json": "b64ea3a6c14f1b0aaadc6de8adbb894edf636a813120d08028ca096e1d06bacc",
"memory.json": "994cb69346606adfb4822d72789ab5f9aa182fd26c11fb874384d3bda5957252",
"vfs.json": "97bb2bda57266d8e0dd1da13309eab5ece43130ef378a0b682917d299e9dc4e1"
},
"schema_version": 1
}

109
audit-runs/phase-c-first-divergence/snap-001/ours/memory.json Normal file
View File

@@ -0,0 +1,109 @@
{
"committed_pages_total": 2594,
"deterministic_skip": [
"host_base_pointer"
],
"engine": "ours",
"guest_address_space_bytes": 4294967296,
"heaps": [
{
"base": "0x00000000",
"name": "v00000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 0
},
"size": "0x40000000"
},
{
"base": "0x40000000",
"name": "v40000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 263
},
"size": "0x40000000"
},
{
"base": "0x80000000",
"name": "v80000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 2336
},
"size": "0x40000000"
},
{
"base": "0x90000000",
"name": "v90000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 0
},
"size": "0x40000000"
}
],
"page_size": 4096,
"regions": [
{
"byte_count": 1048576,
"end": "0x70100000",
"protect": 0,
"section_kind": null,
"sha256": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"start": "0x70000000"
},
{
"byte_count": 4096,
"end": "0x7ffe1000",
"protect": 0,
"section_kind": null,
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x7ffe0000"
},
{
"byte_count": 4096,
"end": "0x7fff1000",
"protect": 0,
"section_kind": null,
"sha256": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"start": "0x7fff0000"
},
{
"byte_count": 9568256,
"end": "0x82920000",
"protect": 0,
"section_kind": null,
"sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"start": "0x82000000"
}
],
"regions_walked": [],
"schema_version": 1,
"section_contents": [
{
"content_b64": "",
"end": "0x70100000",
"sha256": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"start": "0x70000000"
},
{
"content_b64": "",
"end": "0x7ffe1000",
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x7ffe0000"
},
{
"content_b64": "",
"end": "0x7fff1000",
"sha256": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"start": "0x7fff0000"
},
{
"content_b64": "",
"end": "0x82920000",
"sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"start": "0x82000000"
}
]
}

71
audit-runs/phase-c-first-divergence/snap-001/ours/vfs.json Normal file
View File

@@ -0,0 +1,71 @@
{
"cache_root_listing": [],
"deterministic_skip": [
"host_path_realpath"
],
"engine": "ours",
"mounted_devices_observed_count": 1,
"resolve_path_probes": [
{
"is_directory": true,
"path": "\\Device\\Cdrom0",
"resolved": true,
"size": null
},
{
"is_directory": true,
"path": "\\Device\\Cdrom0\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": null,
"path": "\\Device\\Cdrom0\\dat\\movie",
"resolved": false,
"size": null
},
{
"is_directory": null,
"path": "\\Device\\Cdrom0\\dat\\movie\\opening.bik",
"resolved": false,
"size": null
},
{
"is_directory": false,
"path": "\\Device\\Cdrom0\\default.xex",
"resolved": true,
"size": 3497984
},
{
"is_directory": null,
"path": "\\Device\\HardDisk0\\Partition1",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "cache:\\",
"resolved": true,
"size": null
},
{
"is_directory": null,
"path": "cache:\\nonexistent_probe",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "game:\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": false,
"path": "game:\\default.xex",
"resolved": true,
"size": 3497984
}
],
"schema_version": 1
}

25
audit-runs/phase-c-first-divergence/snap-002/ours/config.json Normal file
View File

@@ -0,0 +1,25 @@
{
"build_id": "ours-phaseB",
"cvars": {
"phase_b_dump_section_content": true,
"phase_b_snapshot_and_exit": true,
"phase_b_snapshot_dir": "audit-runs/phase-c-first-divergence/snap-002"
},
"deterministic_skip": [
"host_ns_at_snapshot",
"wall_clock_iso8601",
"build_id",
"iso_path",
"cvars.phase_b_snapshot_dir"
],
"engine": "ours",
"host_ns_at_snapshot": 0,
"image_loaded_sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"iso_path": "",
"schema_version": 1,
"wall_clock_iso8601": "epoch:0",
"xex_entry_point": "0x824ab748",
"xex_header_sha256": "0000000000000000000000000000000000000000000000000000000000000000",
"xex_image_base": "0x82000000",
"xex_image_size": 9568256
}

234
audit-runs/phase-c-first-divergence/snap-002/ours/cpu_state.json Normal file
View File

@@ -0,0 +1,234 @@
{
"cr": [
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0",
"0x0"
],
"ctr": "0x0000000000000000",
"deterministic_skip": [
"hw_id"
],
"engine": "ours",
"fpr": [
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"fpscr": "0x00000000",
"gpr": [
"0x0000000000000000",
"0x00000000700fff00",
"0x0000000020000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x000000007fff0000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000",
"0x0000000000000000"
],
"hw_id": 0,
"lr": "0x00000000bcbcbcbc",
"msr": "0x0000000000009030",
"pc": "0x824ab748",
"pcr_base": "0x7fff0000",
"schema_version": 1,
"stack_base": "0x00000000",
"stack_limit": "0x00000000",
"thread_id": 1,
"tls_base": "0x00000000",
"vr": [
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"00000000000000000000000000000000"
],
"vrsave": "0xffffffff",
"vscr": "00000000000000000000000000010000",
"xer": {
"ca": 0,
"ov": 0,
"so": 0,
"tbc": 0
}
}

62
audit-runs/phase-c-first-divergence/snap-002/ours/kernel.json Normal file
View File

@@ -0,0 +1,62 @@
{
"deterministic_skip": [
"raw_handle_id",
"exports_registered_count"
],
"engine": "ours",
"exports_registered_count": 199,
"exports_registered_sample": [
"xam.xex!NetDll_WSACleanup",
"xam.xex!NetDll_WSAStartup",
"xam.xex!XGetAVPack",
"xam.xex!XGetGameRegion",
"xam.xex!XGetLanguage",
"xam.xex!XGetVideoMode",
"xam.xex!XMsgInProcessCall",
"xam.xex!XMsgStartIORequest",
"xam.xex!XMsgStartIORequestEx",
"xam.xex!XNotifyGetNext",
"xam.xex!XNotifyPositionUI",
"xam.xex!XamAlloc",
"xam.xex!XamContentClose",
"xam.xex!XamContentCreate",
"xam.xex!XamContentCreateEnumerator",
"xam.xex!XamContentDelete",
"xam.xex!XamContentGetCreator",
"xam.xex!XamContentGetDeviceData",
"xam.xex!XamContentGetDeviceName",
"xam.xex!XamContentGetDeviceState",
"xam.xex!XamContentSetThumbnail",
"xam.xex!XamEnableInactivityProcessing",
"xam.xex!XamEnumerate",
"xam.xex!XamFree",
"xam.xex!XamGetExecutionId",
"xam.xex!XamGetSystemVersion",
"xam.xex!XamInputGetCapabilities",
"xam.xex!XamInputGetKeystrokeEx",
"xam.xex!XamInputGetState",
"xam.xex!XamInputSetState",
"xam.xex!XamLoaderLaunchTitle",
"xam.xex!XamLoaderTerminateTitle"
],
"exports_registered_sha256": "bb97815f82b2313c9eaa07bf80dab47c5c23408c24203a1283dfb2aba1e84e09",
"handle_name_table": [],
"notification_listeners": [],
"objects": [
{
"details": {
"entry_pc": "0x824ab748",
"exit_code": null,
"hw_id": 0,
"is_entry_thread": true,
"thread_id": 1
},
"handle_semantic_id": "9879c5053fedb1d0",
"name": null,
"raw_handle_id": "0x00001000",
"type": "Thread",
"type_code": 5
}
],
"schema_version": 1
}

11
audit-runs/phase-c-first-divergence/snap-002/ours/manifest.json Normal file
View File

@@ -0,0 +1,11 @@
{
"engine": "ours",
"files": {
"config.json": "c3716710811050310ecff19f8025f3afa767f2e98785bdeaf7747f8a1476e4de",
"cpu_state.json": "4e6df54ca1939d08854f3a52b49ed2c5ee0823d63cdecad8a7395203dac5443a",
"kernel.json": "b64ea3a6c14f1b0aaadc6de8adbb894edf636a813120d08028ca096e1d06bacc",
"memory.json": "994cb69346606adfb4822d72789ab5f9aa182fd26c11fb874384d3bda5957252",
"vfs.json": "97bb2bda57266d8e0dd1da13309eab5ece43130ef378a0b682917d299e9dc4e1"
},
"schema_version": 1
}

109
audit-runs/phase-c-first-divergence/snap-002/ours/memory.json Normal file
View File

@@ -0,0 +1,109 @@
{
"committed_pages_total": 2594,
"deterministic_skip": [
"host_base_pointer"
],
"engine": "ours",
"guest_address_space_bytes": 4294967296,
"heaps": [
{
"base": "0x00000000",
"name": "v00000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 0
},
"size": "0x40000000"
},
{
"base": "0x40000000",
"name": "v40000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 263
},
"size": "0x40000000"
},
{
"base": "0x80000000",
"name": "v80000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 2336
},
"size": "0x40000000"
},
{
"base": "0x90000000",
"name": "v90000000",
"page_size": 4096,
"page_state_histogram": {
"committed": 0
},
"size": "0x40000000"
}
],
"page_size": 4096,
"regions": [
{
"byte_count": 1048576,
"end": "0x70100000",
"protect": 0,
"section_kind": null,
"sha256": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"start": "0x70000000"
},
{
"byte_count": 4096,
"end": "0x7ffe1000",
"protect": 0,
"section_kind": null,
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x7ffe0000"
},
{
"byte_count": 4096,
"end": "0x7fff1000",
"protect": 0,
"section_kind": null,
"sha256": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"start": "0x7fff0000"
},
{
"byte_count": 9568256,
"end": "0x82920000",
"protect": 0,
"section_kind": null,
"sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"start": "0x82000000"
}
],
"regions_walked": [],
"schema_version": 1,
"section_contents": [
{
"content_b64": "",
"end": "0x70100000",
"sha256": "30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58",
"start": "0x70000000"
},
{
"content_b64": "",
"end": "0x7ffe1000",
"sha256": "ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",
"start": "0x7ffe0000"
},
{
"content_b64": "",
"end": "0x7fff1000",
"sha256": "e35cddaf9c210aed7505ec4cf1c599f58ac2b7ec25b0885db1ee49aba2db519a",
"start": "0x7fff0000"
},
{
"content_b64": "",
"end": "0x82920000",
"sha256": "ea8d160e9369328a5b922258a92113efb8d7ce3e1a5c12cc521e375985c91c18",
"start": "0x82000000"
}
]
}

71
audit-runs/phase-c-first-divergence/snap-002/ours/vfs.json Normal file
View File

@@ -0,0 +1,71 @@
{
"cache_root_listing": [],
"deterministic_skip": [
"host_path_realpath"
],
"engine": "ours",
"mounted_devices_observed_count": 1,
"resolve_path_probes": [
{
"is_directory": true,
"path": "\\Device\\Cdrom0",
"resolved": true,
"size": null
},
{
"is_directory": true,
"path": "\\Device\\Cdrom0\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": null,
"path": "\\Device\\Cdrom0\\dat\\movie",
"resolved": false,
"size": null
},
{
"is_directory": null,
"path": "\\Device\\Cdrom0\\dat\\movie\\opening.bik",
"resolved": false,
"size": null
},
{
"is_directory": false,
"path": "\\Device\\Cdrom0\\default.xex",
"resolved": true,
"size": 3497984
},
{
"is_directory": null,
"path": "\\Device\\HardDisk0\\Partition1",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "cache:\\",
"resolved": true,
"size": null
},
{
"is_directory": null,
"path": "cache:\\nonexistent_probe",
"resolved": false,
"size": null
},
{
"is_directory": true,
"path": "game:\\dat",
"resolved": true,
"size": 4096
},
{
"is_directory": false,
"path": "game:\\default.xex",
"resolved": true,
"size": 3497984
}
],
"schema_version": 1
}

88
audit-runs/phase-c-first-divergence/summary.md Normal file
View File

@@ -0,0 +1,88 @@
# Phase C — first-divergence audit summary
**Date**: 2026-05-13. **Outcome**: The Phase B `image_loaded_sha256`
δ-content-STOP is a false positive caused by an over-strict invariant.
Both engines load the XEX into byte-identical content modulo
legitimate engine-specific import-thunk patches. Fix is in the
comparison framework; no engine bug exists at this layer.
## Three numbers
| metric | value |
|---|---|
| bytes in XEX image | 9568256 |
| bytes differing canary↔ours (raw) | 3704 |
| bytes differing canary↔ours (canonical, imports masked) | **0** |
## The path
1. **Ground truth**: `tools/xex-extract` is a Rust offline XEX2
decoder, independent of both engines. Its `.pe` output sha256 is
`9be5f5621c517c78a451245eca25d54388af741ed20e669b2f78438aaa429e72`.
Provenance verified by independent layout sampling.
2. **Re-snapshot** both engines with `--phase-b-dump-section-content`
(this session added: ~22 LOC ours, ~22 LOC canary, behind existing
cvar — default off, inert).
3. **first-diff.py** — masks XEX import slots (4 bytes per
record_type=0, 16 bytes per record_type=1, 3920 bytes total / 398
slots) and compares. Outcome: canary canonical == ours canonical ==
.pe canonical = `62c51908e2df705583fe81a084f39bd399196f9000cfa7bffd56127b41a4ab96`.
4. **diff_state.py** — added `--xex-json` flag + canonical-hash
invariant. STOP invariant downgraded from raw `image_loaded_sha256`
match to canonical match. Backward-compat: when `--xex-json` is
omitted OR `image.bin` is missing, old behavior preserved.
## Why this is an instrumentation fix, not an engine fix
- canary patches record_type=0 import slots with `0xDEADC0DE` poison.
- ours patches record_type=0 slots with `0x00000000`.
- canary overwrites record_type=1 thunks with `sc/blr/nop/nop` host-shim bytes.
- ours leaves record_type=1 thunks as the .pe template (HLE dispatch
occurs at the JIT call site, not by overwriting thunk bytes).
These are valid engine implementation choices for the same semantic
behavior. The XEX-decode pipeline (AES decrypt + LZX decompress +
section layout + applied relocations) produces byte-identical output
in both engines and is verified against the third-party offline decoder.
## Files in this directory
| file | purpose |
|---|---|
| `summary.md` | This file. |
| `ground-truth.md` | Provenance + verification of the .pe third reference. |
| `classification.md` | First byte-diff classification + canonicalization rationale. |
| `first-diff.py` | The first-byte-diff tool (raw + canonical + vs .pe). |
| `first-diff-report.md` | Output of `first-diff.py` on snap-001. |
| `post-fix-diff-report.md` | Output of updated `diff_state.py` with --xex-json. |
| `post-fix-diff-report.json` | Same, machine-readable. |
| `fix.diff` | Summary + content of the actual changes landed. |
| `re-validation.md` | Per-gate evidence (3 cvar-off runs, re-snap, Phase A re-diff). |
| `snap-001/` | Fresh canary + ours snapshots with content dump. |
| `snap-002/` | Reproducibility test re-snapshot for ours. |
| `phase-a/` | Phase A re-diff event logs + report. |
| `digest-cvaroff-{1,2,3}.json` | Determinism reproducibility runs. |
## Cascade vs prediction
| | predicted | actual |
|---|---|---|
| A (first byte-diff localized + classified) | ~85% | ✅ (off=0x600, .rdata, import slot) |
| B (ground truth identified) | ~70% | ✅ (.pe via xex-extract, verified) |
| C (wrong engine + bug found) | ~55% | ⚠ **no engine bug** — fix in comparison framework |
| D (fix lands + image-load matches) | 35-45% | ✅ canonical hash matches |
| D' (kernel.call prefix extends) | ~55% | ❌ unchanged at 113 (expected — no engine change) |
Cascade C resolves to "instrumentation bug, not engine bug" — an
outcome the brief anticipated via tripstone #2 ("Import thunks are
legitimately engine-specific... canonicalize and re-find first diff").
## What Phase C+1 should do
1. The remaining 68 advisory divergences in `post-fix-diff-report.md`
are all downstream of allocator strategy or kernel-object population
differences. ε-class (allocator drift) is documented as catalog-only.
2. The **real** first runtime divergence per Phase A's diff is at
`tid_event_idx=113`: `KeQuerySystemTime return_value: canary=0
ours=1880095840`. This is a kernel-call semantic divergence and is
the natural Phase C+1 target.