[iterate-2S] GPU: implement CP SCRATCH_REG memory writeback — arms Sylpheed's swap-callback slot

Sylpheed renders the splash (draws=78, iterate-2O) then plateaus: the
title's per-frame manager (sub_821741C8) only re-fires when "clock B"
([gfx+15160], swap count) changes, which only the CP swap-complete
callback sub_824CE2B8 increments. The graphics ISR sub_824BE9A0
indirect-calls that callback via [[gfx+10772]+16] on CP (source=1)
interrupts, but the slot stayed NULL so the callback never ran.

Root (runtime-verified, ours-side GPU): the guest arms the slot through
the Xenos CP scratch-register writeback path, which ours never
implemented. The arming IB (drained by ours at 0x4adf5180) contains a
Type-0 register write of the callback PC 0x824ce2b8 into SCRATCH_REG4
(0x057C). On hardware/canary, writing a SCRATCH_REG{n} mirrors the value
to SCRATCH_ADDR + n*4 in memory when the matching SCRATCH_UMSK bit is
set. Runtime values: SCRATCH_ADDR=0x0b1d5000 (the [gfx+10772]
descriptor), SCRATCH_UMSK=0x20033 (bit 4 set), so SCRATCH_REG4 ->
0x0b1d5010 = descriptor+16 = the callback slot (0x4b1d5010). Ours
decoded the Type-0 write into the register file but performed no
writeback (case a: drained-but-mishandled), so the slot stayed NULL.

Fix mirrors canary's CommandProcessor::HandleSpecialRegisterWrite
(command_processor.cc:545-552): a scratch_register_writeback() helper
called from handle_type0/handle_type1 after every register write; for
SCRATCH_REG0..7 with the UMSK bit set, it writes the value (big-endian,
as mem.write_u32 already stores) to SCRATCH_ADDR + n*4 (projected via
physical_to_backing). Deterministic given identical register state;
proven by unit test.

Cascade (verified by runtime probe): slot 0x4b1d5010 now armed with
0x824ce2b8; on the 2-3 CP interrupts that fire, the ISR reads the slot
and bcctrl's into sub_824CE2B8 (runs 2x; 0x cascade on master);
sub_824CE2B8 increments clock B ([gfx+15160]). The cascade does NOT yet
reach draws>78: there are only ~3 CP interrupts (from the initial 9825-
packet batch), and the title render loop stalls upstream (the iterate-2Q
title-respawn gate) before it submits more PM4_INTERRUPT work, so the
callback can't bootstrap a self-sustaining loop. This is the remaining
update-17/18 arming gap closed; the upstream stall is the next gate.

The default threaded GPU backend drains the ring on a separate host
thread, so with the callback now doing work the exact CP-interrupt
delivery instruction varies run to run (pre-existing GPU-thread race).
Pin the n50m oracle test to --gpu-inline (instruction-count
deterministic) and re-baseline its golden; bit-exact across repeated
runs. New unit test scratch_reg_write_mirrors_to_memory_when_umsk_enabled.

Tests: 675 pass (was 674). Golden re-baselined + determinism verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/xenia-app/tests/golden/sylpheed_n50m.json

@@ -1,10 +1,10 @@
 {
-  "instructions": 50000003,
-  "imports": 451508,
+  "instructions": 50000013,
+  "imports": 451497,
   "unimpl": 0,
-  "draws": 0,
-  "swaps": 2,
-  "unique_render_targets": 0,
-  "shader_blobs_live": 0,
+  "draws": 78,
+  "swaps": 3,
+  "unique_render_targets": 2,
+  "shader_blobs_live": 3,
   "texture_cache_entries": 0
 }

crates/xenia-app/tests/sylpheed_oracles.rs

@@ -57,6 +57,16 @@ fn run_oracle(label: &str, max_instr: u64, golden_rel: &str) {
             &iso,
             "-n",
             &max_instr_str,
+            // Pin the inline (single-threaded) GPU backend. The default
+            // threaded backend drains the ring on a separate host thread,
+            // so the exact instruction at which a CP interrupt is queued —
+            // and therefore when the guest's swap-complete ISR callback runs
+            // (iterate-2S armed it via SCRATCH_REG writeback) — varies run to
+            // run. Inline draining is instruction-count-deterministic, which
+            // is what a regression golden needs. (The threaded path is the
+            // documented "GPU thread race" the stable-digest already warns
+            // about.)
+            "--gpu-inline",
             "--stable-digest",
             "--expect",
             &golden_str,

crates/xenia-gpu/src/gpu_system.rs

@@ -603,14 +603,21 @@ impl GpuSystem {
     /// Release.
     pub fn sync_with_mmio(&mut self) {
         let wptr_dwords = self.mmio.cp_rb_wptr.load(Ordering::Acquire);
-        if wptr_dwords != self.ring.write_offset_dwords && self.ring.size_dwords != 0 {
-            self.ring.write_offset_dwords = wptr_dwords % self.ring.size_dwords;
+        // CP_RB_WPTR governs ONLY the primary ring. While an indirect buffer
+        // is executing, the active `self.ring` is a fixed linear sub-stream
+        // and the primary ring is saved at the bottom of the IB stack —
+        // applying the (primary) write pointer to the IB would corrupt its
+        // extent (e.g. `wptr % ib_size`) and strand the GPU mid-buffer.
+        let primary = self.ib_stack.first_mut().unwrap_or(&mut self.ring);
+        if wptr_dwords != primary.write_offset_dwords && primary.size_dwords != 0 {
+            primary.write_offset_dwords = wptr_dwords % primary.size_dwords;
         }
-        // Mirror our read pointer (Release pairs with any guest-side
+        let primary_rptr = primary.read_offset_dwords;
+        // Mirror the *primary* read pointer (Release pairs with any guest-side
         // Acquire-load of CP_RB_RPTR for ring writeback bookkeeping).
         self.mmio
             .cp_rb_rptr
-            .store(self.ring.read_offset_dwords, Ordering::Release);
+            .store(primary_rptr, Ordering::Release);
     }
 
     /// True iff `execute_one` is expected to make progress without blocking.
@@ -618,7 +625,11 @@ impl GpuSystem {
         if let Some(block) = &self.pending_block {
             return block.is_satisfied(mem, &self.register_file);
         }
-        self.ring.has_pending()
+        // Pending work may be in the active ring OR in a saved caller ring
+        // further down the IB stack (an exhausted IB still needs `execute_one`
+        // to pop back and resume the primary ring, whose WPTR may have since
+        // advanced).
+        self.ring.has_pending() || self.ib_stack.iter().any(|r| r.has_pending())
     }
 
     /// Execute exactly one PM4 packet. Returns [`ExecOutcome::Idle`] when
@@ -730,13 +741,21 @@ impl GpuSystem {
 
     /// Called by `VdInitializeRingBuffer` to give us the primary ring.
     pub fn initialize_ring_buffer(&mut self, base: u32, size_log2: u32) {
-        let size_bytes = 1u32 << size_log2.min(31);
+        // Canary `CommandProcessor::InitializeRingBuffer` (command_processor.cc:
+        // 436): `primary_buffer_size_ = 1 << (size_log2 + 3)` *bytes*. The
+        // `VdInitializeRingBuffer` `r4` argument is log2(size-in-quadwords),
+        // so the byte size is `1 << (size_log2 + 3)` (× 8 bytes/quadword), i.e.
+        // `1 << (size_log2 + 1)` dwords. (Sylpheed passes size_log2=12 →
+        // 32768 bytes / 8192 dwords; the previous `1 << size_log2` undersized
+        // the ring 8× and desynced WPTR wrap math from the guest.)
+        let size_bytes = 1u32 << size_log2.saturating_add(3).min(31);
         // The guest hands us a bare *physical* ring base; project it onto the
         // committed backing window so ring reads hit real PM4 packets (see
         // `physical_to_backing`).
         let base = physical_to_backing(base);
         self.ring.base = base;
         self.ring.size_dwords = size_bytes / 4;
+        self.ring.indirect = false;
         self.ring.read_offset_dwords = 0;
         // `write_offset` is driven by the guest — start at 0 so the ring
         // appears empty until MMIO writes advance it.
@@ -825,6 +844,38 @@ impl GpuSystem {
         }
     }
 
+    /// CP scratch-register memory writeback, mirroring canary's
+    /// `CommandProcessor::HandleSpecialRegisterWrite`
+    /// (`command_processor.cc:545-552`). Every register write runs through
+    /// here; when the target is one of the eight `SCRATCH_REG{n}`
+    /// (`0x0578..=0x057F`) **and** the matching bit in `SCRATCH_UMSK` is set,
+    /// the value is also written (big-endian, as `mem.write_u32` already
+    /// stores) to `SCRATCH_ADDR + n*4` in guest physical memory.
+    ///
+    /// Sylpheed arms its CP swap-complete interrupt callback through this
+    /// path: it programs `SCRATCH_ADDR` to the GPU command-block descriptor
+    /// (`[gfx+10772]`, runtime `0x0b1d5000`), `SCRATCH_UMSK` bit 4, then a
+    /// Type-0 write of the callback PC `0x824ce2b8` into `SCRATCH_REG4`
+    /// (`0x057C`). The writeback lands it at descriptor+16 (`0x4b1d5010`),
+    /// which the graphics ISR (`sub_824BE9A0`) reads via `[[gfx+10772]+16]`
+    /// and `bcctrl`s to fire the swap-complete callback. Without this
+    /// writeback the slot stayed NULL, the ISR skipped the callback, the
+    /// swap counter never advanced, and the title's per-frame manager
+    /// re-fired once then plateaued.
+    fn scratch_register_writeback(&self, mem: &dyn MemoryAccess, index: u32, value: u32) {
+        if !(reg::SCRATCH_REG0..=reg::SCRATCH_REG7).contains(&index) {
+            return;
+        }
+        let scratch_reg = index - reg::SCRATCH_REG0;
+        let umsk = self.register_file.read(reg::SCRATCH_UMSK);
+        if (1u32 << scratch_reg) & umsk == 0 {
+            return;
+        }
+        let scratch_addr = self.register_file.read(reg::SCRATCH_ADDR);
+        let mem_addr = physical_to_backing(scratch_addr.wrapping_add(scratch_reg * 4));
+        mem.write_u32(mem_addr, value);
+    }
+
     fn writeback_read_ptr(&mut self, mem: &dyn MemoryAccess) {
         if self.ring.rptr_writeback_addr != 0 && self.ring.is_initialized() {
             mem.write_u32_fence(
@@ -849,6 +900,7 @@ impl GpuSystem {
             let value = mem.read_u32(dword_addr);
             let target = if write_one { base_index } else { base_index + i };
             self.register_file.write(target, value);
+            self.scratch_register_writeback(mem, target, value);
         }
         tracing::trace!(
             base = format_args!("{base_index:#x}"),
@@ -871,6 +923,8 @@ impl GpuSystem {
         let b = mem.read_u32(b_addr);
         self.register_file.write(reg_index_1, a);
         self.register_file.write(reg_index_2, b);
+        self.scratch_register_writeback(mem, reg_index_1, a);
+        self.scratch_register_writeback(mem, reg_index_2, b);
         tracing::trace!(
             r1 = format_args!("{reg_index_1:#x}"),
             r2 = format_args!("{reg_index_2:#x}"),
@@ -935,6 +989,10 @@ impl GpuSystem {
                     write_offset_dwords: ib_size, // IB is fully-written at jump time
                     rptr_writeback_addr: 0,
                     rptr_writeback_block_dwords: 0,
+                    // Linear sub-stream: drain [0, ib_size) then pop. Never
+                    // wraps, and `sync_with_mmio`'s CP_RB_WPTR must not touch
+                    // it (canary executes IBs through a separate reader).
+                    indirect: true,
                 };
                 tracing::debug!(
                     ib_ptr = format_args!("{ib_ptr:#010x}"),
@@ -1488,6 +1546,17 @@ pub mod reg {
     /// `XE_GPU_REG_COHER_STATUS_HOST` — coherency bits
     /// (Canary `register_table.inc:530`).
     pub const COHER_STATUS_HOST: u32 = 0x0A31;
+    /// `XE_GPU_REG_SCRATCH_UMSK` — bitmask of which `SCRATCH_REG{n}` writes are
+    /// mirrored to memory (Canary `register_table.inc:139`).
+    pub const SCRATCH_UMSK: u32 = 0x01DC;
+    /// `XE_GPU_REG_SCRATCH_ADDR` — base physical address of the scratch
+    /// writeback block (Canary `register_table.inc:141`).
+    pub const SCRATCH_ADDR: u32 = 0x01DD;
+    /// `XE_GPU_REG_SCRATCH_REG0` — first of 8 CP scratch registers
+    /// (`0x0578..=0x057F`, Canary `register_table.inc:331-338`).
+    pub const SCRATCH_REG0: u32 = 0x0578;
+    /// `XE_GPU_REG_SCRATCH_REG7` — last CP scratch register.
+    pub const SCRATCH_REG7: u32 = 0x057F;
 }
 
 /// 32-bit FNV-1a over a u32 seed + a slice of u32s. Used to derive a
@@ -1578,6 +1647,38 @@ mod tests {
         assert_eq!(gpu.register_file.read(0x101), 0xCAFE_BABE);
     }
 
+    #[test]
+    fn scratch_reg_write_mirrors_to_memory_when_umsk_enabled() {
+        // Mirrors Sylpheed's CP swap-callback arming: SCRATCH_ADDR points at a
+        // descriptor, SCRATCH_UMSK enables bit 4, and a Type-0 write of the
+        // callback PC into SCRATCH_REG4 (0x57C) must land at SCRATCH_ADDR + 16.
+        let mut gpu = GpuSystem::new();
+        let mut mem = build_mem();
+        gpu.initialize_ring_buffer(0x4000_0000, 10);
+        // Program SCRATCH_ADDR = 0x4000_1000 (physical-mirror identity), and
+        // SCRATCH_UMSK = bit 4 only (so SCRATCH_REG4 mirrors, REG3 does not).
+        gpu.register_file.write(reg::SCRATCH_ADDR, 0x4000_1000);
+        gpu.register_file.write(reg::SCRATCH_UMSK, 1 << 4);
+        // Type0 write run: base = SCRATCH_REG3 (0x57B), count = 2 → writes
+        // 0x11111111 → SCRATCH_REG3 (UMSK bit 3 clear), 0x824CE2B8 →
+        // SCRATCH_REG4 (UMSK bit 4 set → mirrored to ADDR + 4*4 = +16).
+        const SCRATCH_REG3: u32 = 0x057B;
+        let hdr = (1u32 << 16) | SCRATCH_REG3;
+        mem.write_u32(0x4000_0000, hdr);
+        mem.write_u32(0x4000_0004, 0x1111_1111);
+        mem.write_u32(0x4000_0008, 0x824C_E2B8);
+        gpu.extend_write_ptr(3);
+        assert!(matches!(gpu.execute_one(&mut mem), ExecOutcome::Stepped { .. }));
+        // SCRATCH_REG3 (bit 3 clear) must NOT mirror; SCRATCH_REG4 (bit 4 set)
+        // must mirror to SCRATCH_ADDR + 16.
+        assert_eq!(mem.read_u32(0x4000_1000 + 12), 0, "reg3 must not mirror");
+        assert_eq!(
+            mem.read_u32(0x4000_1000 + 16),
+            0x824C_E2B8,
+            "reg4 must mirror to SCRATCH_ADDR+16"
+        );
+    }
+
     #[test]
     fn wait_reg_mem_blocks_then_unblocks_when_mem_changes() {
         let mut gpu = GpuSystem::new();

crates/xenia-gpu/src/ring_view.rs

@@ -32,6 +32,16 @@ pub struct RingBufferView {
     /// `VdEnableRingBufferRPtrWriteBack`). We always write back eagerly, so
     /// we don't actually use this for scheduling — kept for observability.
     pub rptr_writeback_block_dwords: u32,
+    /// True for an indirect-buffer (`INDIRECT_BUFFER`) view. An IB is a fixed
+    /// *linear* sub-stream, not a circular ring: it is fully written when the
+    /// GPU jumps to it, so the read pointer advances monotonically from `0` to
+    /// `size_dwords` and then the buffer is exhausted (the caller ring is
+    /// popped). It must NOT wrap, and the primary `CP_RB_WPTR` must not be
+    /// applied to it. Mirrors canary `ExecuteIndirectBuffer`, which executes
+    /// the IB through a separate `RingBuffer reader_` and restores the primary
+    /// reader afterward (command_processor.cc). Circular (primary-ring)
+    /// semantics are used when this is `false`.
+    pub indirect: bool,
 }
 
 impl RingBufferView {
@@ -46,7 +56,16 @@ impl RingBufferView {
 
     /// True if there is pending unread data to consume.
     pub fn has_pending(&self) -> bool {
-        self.is_initialized() && self.read_offset_dwords != self.write_offset_dwords
+        if !self.is_initialized() {
+            return false;
+        }
+        if self.indirect {
+            // Linear sub-stream: exhausted once the read pointer reaches the
+            // (fixed) write pointer. Never wraps.
+            self.read_offset_dwords < self.write_offset_dwords
+        } else {
+            self.read_offset_dwords != self.write_offset_dwords
+        }
     }
 
     /// Number of dwords we can consume without wrapping past the write ptr.
@@ -54,7 +73,10 @@ impl RingBufferView {
         if !self.is_initialized() {
             return 0;
         }
-        if self.write_offset_dwords >= self.read_offset_dwords {
+        if self.indirect {
+            self.write_offset_dwords
+                .saturating_sub(self.read_offset_dwords)
+        } else if self.write_offset_dwords >= self.read_offset_dwords {
             self.write_offset_dwords - self.read_offset_dwords
         } else {
             // write has wrapped — we can read up to the end of the ring.
@@ -62,14 +84,20 @@ impl RingBufferView {
         }
     }
 
-    /// Advance the read pointer by `dwords`, wrapping at `size_dwords`.
+    /// Advance the read pointer by `dwords`. Circular rings wrap at
+    /// `size_dwords`; an indirect buffer advances linearly (no wrap) so it
+    /// terminates exactly at its fixed write pointer.
     pub fn advance_read(&mut self, dwords: u32) {
         if self.size_dwords == 0 {
             return;
         }
+        if self.indirect {
+            self.read_offset_dwords = self.read_offset_dwords.saturating_add(dwords);
+        } else {
             self.read_offset_dwords =
                 (self.read_offset_dwords + dwords) % self.size_dwords;
         }
+    }
 
     /// Guest address for the dword at relative offset `i` from the current
     /// read pointer. `None` if uninitialized.
@@ -77,7 +105,11 @@ impl RingBufferView {
         if !self.is_initialized() {
             return None;
         }
-        let off = (self.read_offset_dwords + offset_dwords) % self.size_dwords;
+        let off = if self.indirect {
+            self.read_offset_dwords.saturating_add(offset_dwords)
+        } else {
+            (self.read_offset_dwords + offset_dwords) % self.size_dwords
+        };
         Some(self.base.wrapping_add(off.wrapping_mul(4)))
     }
 }
@@ -120,4 +152,52 @@ mod tests {
         assert_eq!(v.addr_at_offset(1), Some(0x4000_0000));
         assert_eq!(v.addr_at_offset(2), Some(0x4000_0004));
     }
+
+    #[test]
+    fn indirect_buffer_drains_linearly_and_terminates() {
+        // An indirect buffer is a fixed linear sub-stream: read advances from
+        // 0 to `size_dwords` and then is exhausted — it must NOT wrap back to
+        // 0 (which previously caused an infinite re-read of a system command
+        // buffer; iterate-2O). write_offset == size, exactly as the
+        // INDIRECT_BUFFER handler sets it.
+        let mut ib = RingBufferView {
+            base: 0x4adf_5080,
+            size_dwords: 11,
+            read_offset_dwords: 0,
+            write_offset_dwords: 11,
+            rptr_writeback_addr: 0,
+            rptr_writeback_block_dwords: 0,
+            indirect: true,
+        };
+        assert!(ib.has_pending());
+        // Drain the exact packet layout observed for Sylpheed's init IB:
+        // 2 + 3 + 6 dwords = 11.
+        ib.advance_read(2);
+        assert!(ib.has_pending());
+        ib.advance_read(3);
+        assert!(ib.has_pending());
+        ib.advance_read(6); // reaches 11 == write
+        assert_eq!(ib.read_offset_dwords, 11);
+        assert!(
+            !ib.has_pending(),
+            "indirect buffer must terminate at write ptr, not wrap to 0"
+        );
+        // addr_at_offset must not modulo-wrap for an indirect buffer.
+        ib.read_offset_dwords = 9;
+        assert_eq!(ib.addr_at_offset(1), Some(0x4adf_5080 + 10 * 4));
+    }
+
+    #[test]
+    fn indirect_flag_does_not_affect_circular_ring() {
+        // Sanity: a circular (primary) ring still wraps as before.
+        let mut v = RingBufferView::new();
+        v.base = 0x4adc_c000;
+        v.size_dwords = 8192;
+        v.read_offset_dwords = 8190;
+        v.write_offset_dwords = 2;
+        assert!(v.has_pending());
+        v.advance_read(4); // (8190 + 4) % 8192 = 2
+        assert_eq!(v.read_offset_dwords, 2);
+        assert!(!v.has_pending());
+    }
 }

crates/xenia-kernel/src/exports.rs

@@ -2883,10 +2883,12 @@ fn vd_initialize_ring_buffer(ctx: &mut PpcContext, _mem: &GuestMemory, state: &m
     // packets directly into ring memory at the current WPTR (the GPU
     // backend lives on a worker thread under `--gpu-thread` so we can't
     // read its `ring.base` from the kernel side without a channel hop).
-    // Per canary: size_log2 is log2(size in BYTES), so size in dwords =
-    // 2^size_log2 / 4 = 1 << (size_log2 - 2).
+    // Per canary `CommandProcessor::InitializeRingBuffer`: the ring is
+    // `1 << (size_log2 + 3)` bytes = `1 << (size_log2 + 1)` dwords (`r4` is
+    // log2 of the size in quadwords). Kept in sync with
+    // `GpuSystem::initialize_ring_buffer`. (Currently bookkeeping-only.)
     state.ring_base = ptr;
-    state.ring_size_dwords = if size_log2 >= 2 { 1u32 << (size_log2 - 2) } else { 0 };
+    state.ring_size_dwords = 1u32 << (size_log2 + 1);
     ctx.gpr[3] = 0;
 }