[iterate-2U] VdGlobalDevice: allocate a real device cell so the swap counter (clock B) can advance

Sylpheed's title loop re-runs its per-frame manager update sub_821741C8
only when "clock B" ([controller+88], the swap count) changes. Clock B's
sole source is the CP swap-complete callback sub_824CE2B8, which bumps
[gfx+15160] via the TWO-LEVEL deref [[VdGlobalDevice]+0]+15160, where
VdGlobalDevice is the kernel variable export 0x01BE at guest .data
0x82000750.

Ours patched that import slot with literal 0 (the old "passed through to
Vd* shims, write 0" behaviour). Consequences, both confirmed at runtime:
  * the guest's graphics init stores its D3D device object via
    `stw r31, 0([0x82000750])` (sub_824C6DC0 @0x824C6F18) — with the slot
    0, that store lands at address 0;
  * the swap callback reads [[0x82000750]] = [0] = 0 and increments
    [0+15160] (the null page) instead of the real device's swap counter.
So [gfx+15160] never moved, clock B stayed frozen at 0, sub_821741C8
fired exactly once, and the game submitted one render batch (the 78-draw
splash) then stalled.

Fix mirrors xenia-canary RegisterVideoExports (xboxkrnl_video.cc:557-564)
exactly: allocate a 4-byte cell, point the import slot at it, zero the
cell. The guest then stores its device into the cell, and the callback's
two-level deref resolves correctly. Verified: [0x82000750] now holds a
real cell whose [+0] is the device (gfx state), the swap callback bumps
[gfx+15160] 0->1, clock B advances, and the per-frame chain steps forward
(sub_821741C8 fires 1->2x, GamePart update sub_821C7CB8 0->1x).

Determinism: --gpu-inline digest re-baselined and byte-identical across
runs. The fix shifts the early execution trajectory (clock B unfreezing),
so the n50m golden moves imports 451500->178937 and instructions
50000001->50000014; draws/swaps/RTs/shaders unchanged (78/4/2/3). n2m
golden unchanged (early boot, pre-fix-effect). 675 workspace tests green;
sylpheed_n50m oracle green.

Note: this breaks the FIRST hard blocker (clock B could never advance at
all). Full per-frame sustain (draws past 78) needs a further step: each
GamePart update must submit a per-frame command buffer (with PM4_INTERRUPT)
during the asset-streaming phase to keep generating CP interrupts; ours
currently produces only the single seed interrupt from the initial batch,
so the chain advances once and re-stalls. Tracked for the next iterate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/xenia-app/src/main.rs

@@ -1540,8 +1540,19 @@ fn cmd_exec_inner(
                     mem.write_u32(addr, block);
                 }
                 ("xboxkrnl.exe", 0x01BE) => {
-                    // VdGlobalDevice — passed through to Vd* shims. Write 0.
-                    mem.write_u32(addr, 0);
+                    // VdGlobalDevice — a *pointer to* a global D3D-device cell.
+                    // Mirror xenia-canary RegisterVideoExports (xboxkrnl_video.cc:
+                    // 557-564): allocate a 4-byte cell, point the import slot at
+                    // it, and zero the cell. The guest's graphics init then stores
+                    // its device object INTO the cell (e.g. sub_824C6DC0 @
+                    // 0x824C6F18 `stw r31, 0([0x82000750])`), and the swap-complete
+                    // callback sub_824CE2B8 reads it back via the two-level
+                    // `[[VdGlobalDevice]+0]+15160` to bump the swap counter (clock
+                    // B). Writing 0 directly here (the old behaviour) made that
+                    // store land at address 0 and the swap counter never advance —
+                    // freezing the title-loop's per-frame manager update.
+                    let cell = alloc_zero(0x4, &mut mem, &mut kernel);
+                    mem.write_u32(addr, cell);
                 }
                 ("xboxkrnl.exe", 0x01C0) => {
                     // VdGpuClockInMHz

crates/xenia-app/tests/golden/sylpheed_n50m.json

@@ -1,9 +1,9 @@
 {
-  "instructions": 50000001,
-  "imports": 451499,
+  "instructions": 50000014,
+  "imports": 178937,
   "unimpl": 0,
   "draws": 78,
-  "swaps": 3,
+  "swaps": 4,
   "unique_render_targets": 2,
   "shader_blobs_live": 3,
   "texture_cache_entries": 0

crates/xenia-app/tests/sylpheed_oracles.rs

@@ -57,6 +57,16 @@ fn run_oracle(label: &str, max_instr: u64, golden_rel: &str) {
             &iso,
             "-n",
             &max_instr_str,
+            // Pin the inline (single-threaded) GPU backend. The default
+            // threaded backend drains the ring on a separate host thread,
+            // so the exact instruction at which a CP interrupt is queued —
+            // and therefore when the guest's swap-complete ISR callback runs
+            // (iterate-2S armed it via SCRATCH_REG writeback) — varies run to
+            // run. Inline draining is instruction-count-deterministic, which
+            // is what a regression golden needs. (The threaded path is the
+            // documented "GPU thread race" the stable-digest already warns
+            // about.)
+            "--gpu-inline",
             "--stable-digest",
             "--expect",
             &golden_str,

crates/xenia-gpu/src/gpu_system.rs

@@ -726,10 +726,13 @@ impl GpuSystem {
             width,
             height,
         });
-        self.pending_interrupts.push(PendingInterrupt {
-            source: InterruptSource::Swap,
-            cpu_mask: 0x1,
-        });
+        // iterate-2T: do NOT raise a CP swap-complete interrupt here. Canary's
+        // `VdSwap`/PM4_XE_SWAP path raises no interrupt; swap-complete CP
+        // interrupts come ONLY from in-stream `PM4_INTERRUPT` packets, which
+        // are naturally ordered after D3D has armed the swap-callback slot.
+        // Synthesizing one out of band (as we did pre-2T) delivered a CP
+        // interrupt while the slot still held the `0xBADF00D` placeholder,
+        // tripping the graphics ISR's "Unanticipated CPU_INTERRUPT" assert.
         tracing::info!(
             frame = self.swap_counter,
             fb = format_args!("{frontbuffer_phys:#010x}"),
@@ -844,6 +847,38 @@ impl GpuSystem {
         }
     }
 
+    /// CP scratch-register memory writeback, mirroring canary's
+    /// `CommandProcessor::HandleSpecialRegisterWrite`
+    /// (`command_processor.cc:545-552`). Every register write runs through
+    /// here; when the target is one of the eight `SCRATCH_REG{n}`
+    /// (`0x0578..=0x057F`) **and** the matching bit in `SCRATCH_UMSK` is set,
+    /// the value is also written (big-endian, as `mem.write_u32` already
+    /// stores) to `SCRATCH_ADDR + n*4` in guest physical memory.
+    ///
+    /// Sylpheed arms its CP swap-complete interrupt callback through this
+    /// path: it programs `SCRATCH_ADDR` to the GPU command-block descriptor
+    /// (`[gfx+10772]`, runtime `0x0b1d5000`), `SCRATCH_UMSK` bit 4, then a
+    /// Type-0 write of the callback PC `0x824ce2b8` into `SCRATCH_REG4`
+    /// (`0x057C`). The writeback lands it at descriptor+16 (`0x4b1d5010`),
+    /// which the graphics ISR (`sub_824BE9A0`) reads via `[[gfx+10772]+16]`
+    /// and `bcctrl`s to fire the swap-complete callback. Without this
+    /// writeback the slot stayed NULL, the ISR skipped the callback, the
+    /// swap counter never advanced, and the title's per-frame manager
+    /// re-fired once then plateaued.
+    fn scratch_register_writeback(&self, mem: &dyn MemoryAccess, index: u32, value: u32) {
+        if !(reg::SCRATCH_REG0..=reg::SCRATCH_REG7).contains(&index) {
+            return;
+        }
+        let scratch_reg = index - reg::SCRATCH_REG0;
+        let umsk = self.register_file.read(reg::SCRATCH_UMSK);
+        if (1u32 << scratch_reg) & umsk == 0 {
+            return;
+        }
+        let scratch_addr = self.register_file.read(reg::SCRATCH_ADDR);
+        let mem_addr = physical_to_backing(scratch_addr.wrapping_add(scratch_reg * 4));
+        mem.write_u32(mem_addr, value);
+    }
+
     fn writeback_read_ptr(&mut self, mem: &dyn MemoryAccess) {
         if self.ring.rptr_writeback_addr != 0 && self.ring.is_initialized() {
             mem.write_u32_fence(
@@ -868,6 +903,7 @@ impl GpuSystem {
             let value = mem.read_u32(dword_addr);
             let target = if write_one { base_index } else { base_index + i };
             self.register_file.write(target, value);
+            self.scratch_register_writeback(mem, target, value);
         }
         tracing::trace!(
             base = format_args!("{base_index:#x}"),
@@ -890,6 +926,8 @@ impl GpuSystem {
         let b = mem.read_u32(b_addr);
         self.register_file.write(reg_index_1, a);
         self.register_file.write(reg_index_2, b);
+        self.scratch_register_writeback(mem, reg_index_1, a);
+        self.scratch_register_writeback(mem, reg_index_2, b);
         tracing::trace!(
             r1 = format_args!("{reg_index_1:#x}"),
             r2 = format_args!("{reg_index_2:#x}"),
@@ -1511,6 +1549,17 @@ pub mod reg {
     /// `XE_GPU_REG_COHER_STATUS_HOST` — coherency bits
     /// (Canary `register_table.inc:530`).
     pub const COHER_STATUS_HOST: u32 = 0x0A31;
+    /// `XE_GPU_REG_SCRATCH_UMSK` — bitmask of which `SCRATCH_REG{n}` writes are
+    /// mirrored to memory (Canary `register_table.inc:139`).
+    pub const SCRATCH_UMSK: u32 = 0x01DC;
+    /// `XE_GPU_REG_SCRATCH_ADDR` — base physical address of the scratch
+    /// writeback block (Canary `register_table.inc:141`).
+    pub const SCRATCH_ADDR: u32 = 0x01DD;
+    /// `XE_GPU_REG_SCRATCH_REG0` — first of 8 CP scratch registers
+    /// (`0x0578..=0x057F`, Canary `register_table.inc:331-338`).
+    pub const SCRATCH_REG0: u32 = 0x0578;
+    /// `XE_GPU_REG_SCRATCH_REG7` — last CP scratch register.
+    pub const SCRATCH_REG7: u32 = 0x057F;
 }
 
 /// 32-bit FNV-1a over a u32 seed + a slice of u32s. Used to derive a
@@ -1601,6 +1650,38 @@ mod tests {
         assert_eq!(gpu.register_file.read(0x101), 0xCAFE_BABE);
     }
 
+    #[test]
+    fn scratch_reg_write_mirrors_to_memory_when_umsk_enabled() {
+        // Mirrors Sylpheed's CP swap-callback arming: SCRATCH_ADDR points at a
+        // descriptor, SCRATCH_UMSK enables bit 4, and a Type-0 write of the
+        // callback PC into SCRATCH_REG4 (0x57C) must land at SCRATCH_ADDR + 16.
+        let mut gpu = GpuSystem::new();
+        let mut mem = build_mem();
+        gpu.initialize_ring_buffer(0x4000_0000, 10);
+        // Program SCRATCH_ADDR = 0x4000_1000 (physical-mirror identity), and
+        // SCRATCH_UMSK = bit 4 only (so SCRATCH_REG4 mirrors, REG3 does not).
+        gpu.register_file.write(reg::SCRATCH_ADDR, 0x4000_1000);
+        gpu.register_file.write(reg::SCRATCH_UMSK, 1 << 4);
+        // Type0 write run: base = SCRATCH_REG3 (0x57B), count = 2 → writes
+        // 0x11111111 → SCRATCH_REG3 (UMSK bit 3 clear), 0x824CE2B8 →
+        // SCRATCH_REG4 (UMSK bit 4 set → mirrored to ADDR + 4*4 = +16).
+        const SCRATCH_REG3: u32 = 0x057B;
+        let hdr = (1u32 << 16) | SCRATCH_REG3;
+        mem.write_u32(0x4000_0000, hdr);
+        mem.write_u32(0x4000_0004, 0x1111_1111);
+        mem.write_u32(0x4000_0008, 0x824C_E2B8);
+        gpu.extend_write_ptr(3);
+        assert!(matches!(gpu.execute_one(&mut mem), ExecOutcome::Stepped { .. }));
+        // SCRATCH_REG3 (bit 3 clear) must NOT mirror; SCRATCH_REG4 (bit 4 set)
+        // must mirror to SCRATCH_ADDR + 16.
+        assert_eq!(mem.read_u32(0x4000_1000 + 12), 0, "reg3 must not mirror");
+        assert_eq!(
+            mem.read_u32(0x4000_1000 + 16),
+            0x824C_E2B8,
+            "reg4 must mirror to SCRATCH_ADDR+16"
+        );
+    }
+
     #[test]
     fn wait_reg_mem_blocks_then_unblocks_when_mem_changes() {
         let mut gpu = GpuSystem::new();

crates/xenia-kernel/src/exports.rs

@@ -2999,52 +2999,82 @@ fn vd_swap(ctx: &mut PpcContext, mem: &GuestMemory, state: &mut KernelState) {
     // xboxkrnl_video.cc:479. Currently skipped (see below).
     let _ = fetch_dwords; // silence unused — will be live again under the deferred path
 
-    // The original M2b path zero-filled buffer_ptr (in the system command
-    // buffer) and bumped WPTR by 64 to expose the game's own ring writes.
-    // Keep that untouched — the game still expects buffer_ptr to be a
-    // skippable scratch area, and the bump still exposes any game-batched
-    // PM4 packets for the drain.
+    // iterate-2T: mirror xenia-canary `VdSwap_entry` (xboxkrnl_video.cc:518-548)
+    // FAITHFULLY. The game reserves 64 dwords (256 bytes) in the primary ring
+    // at `buffer_ptr`; canary writes a `PM4_TYPE0(SHADER_CONSTANT_FETCH_00_0)`
+    // fetch-constant patch followed by `PM4_TYPE3(PM4_XE_SWAP)`, then pads with
+    // NOPs. We do the same, then bump WPTR by 64 so the drain consumes the
+    // PM4_XE_SWAP **in command-stream order** — i.e. AFTER any in-stream
+    // callback-arming Type-0 writes the game already queued.
+    //
+    // Why this matters (the iterate-2T root): the previous M2b short-circuit
+    // called `notify_xe_swap` directly from the HLE, which synthesized a CP
+    // swap-complete interrupt OUT OF BAND. When that interrupt reached the
+    // graphics ISR (`sub_824BE9A0`) before D3D had armed its swap-callback
+    // slot (`[gfx+10772]+16` still the `0xBADF00D` placeholder), the ISR hit
+    // its "ERR[D3D]: Unanticipated CPU_INTERRUPT. Sign of a corrupt command
+    // buffer?" assert (`twi` at 0x824BE9DC). Routing the swap through the ring
+    // packet keeps the interrupt naturally ordered after arming, matching
+    // canary (whose VdSwap raises NO interrupt itself; swap-complete CP
+    // interrupts come only from in-stream `PM4_INTERRUPT` packets).
     if buffer_ptr != 0 {
-        for i in 0..64u32 {
-            mem.write_u32(buffer_ptr + i * 4, xenia_gpu::pm4::make_packet_type2());
+        let mut off = 0u32;
+        let mut put = |i: &mut u32, v: u32| {
+            mem.write_u32(buffer_ptr + *i * 4, v);
+            *i += 1;
+        };
+        // PM4_TYPE0 fetch-constant slot-0 patch (6 dwords payload). The
+        // base_address field is patched to the physical frontbuffer so the
+        // bloom/blur "sample frame N for frame N+1" path reads the right page.
+        let mut patched = fetch_dwords;
+        patched[1] = (patched[1] & 0x0000_0FFF) | ((frontbuffer_addr >> 12) << 12);
+        put(
+            &mut off,
+            xenia_gpu::pm4::make_packet_type0(
+                xenia_gpu::gpu_system::CONST_BASE_FETCH as u16,
+                6,
+            ),
+        );
+        for d in patched {
+            put(&mut off, d);
+        }
+        // PM4_TYPE3(PM4_XE_SWAP, 4 dwords): signature, frontbuffer_phys, w, h.
+        put(
+            &mut off,
+            xenia_gpu::pm4::make_packet_type3(xenia_gpu::pm4::PM4_XE_SWAP, 4),
+        );
+        put(&mut off, xenia_gpu::pm4::SWAP_SIGNATURE);
+        put(&mut off, frontbuffer_addr);
+        put(&mut off, width);
+        put(&mut off, height);
+        // Pad the remainder with NOP (Type-2) packets.
+        while off < 64 {
+            put(&mut off, xenia_gpu::pm4::make_packet_type2());
         }
     }
     state.gpu.extend_write_ptr_by(64);
 
-    // GPUBUG-DRAIN-001: notify the swap directly.
-    //
-    // Per xenia-canary `VdSwap_entry` (xboxkrnl_video.cc:438-521), the
-    // textbook approach is to inject `PM4_TYPE0(SHADER_CONSTANT_FETCH_00_0)`
-    // (fetch-constant slot-0 patch for the Sylpheed bloom/blur "frame N+1"
-    // sample) followed by `PM4_TYPE3(PM4_XE_SWAP)` directly into the
-    // primary ring at WPTR, then let the natural drain consume them.
-    //
-    // That works in **pure lockstep** (drain runs at every kernel callback
-    // boundary, ring has at most a few hundred packets pending). It
-    // **does not** work under `--parallel` (CPU + GPU ring contention) —
-    // observed empirically: vd_swap's `drain_to_current_wptr` consumes
-    // 8-10 million game-batched IB packets in the 900 ms inline-deadline
-    // window without reaching our tail-injected PM4_XE_SWAP. Under
-    // threaded backend the worker has the same deadline. Either:
-    //   (a) the safety-net direct notify (below) fires and gets the swap
-    //       counted — but if the worker *eventually* drains past our
-    //       injected packet later it would double-count,
-    //   (b) we extend the deadline so far that vd_swap blocks for many
-    //       seconds — unreasonable for a kernel callback.
-    //
-    // Skip the ring injection unconditionally and post `notify_xe_swap`
-    // directly. The drain still runs (game packets execute as normal).
-    // **Trade-off**: the slot-0 fetch-constant patch is deferred —
-    // tracked as GPUBUG-FETCH-PATCH-001. Sylpheed currently has draws=0,
-    // so a stale slot 0 has no observable effect.
+    // Drain the ring; the PM4_XE_SWAP we just queued (and any in-stream
+    // PM4_INTERRUPT) executes in order. The PM4_XE_SWAP handler calls
+    // `notify_xe_swap` for host swap bookkeeping; no synthetic interrupt is
+    // raised (see `notify_xe_swap`).
     let drained = state.gpu.drain_to_current_wptr(mem);
     tracing::debug!(drained, "VdSwap: drained PM4 packets");
 
-    // Direct swap notification. Inline mode bumps `swaps_seen`
-    // synchronously; threaded mode posts a `GpuCommand::NotifyXeSwap`
-    // and the worker bumps it asynchronously.
+    // Safety net: if the drain did NOT reach our PM4_XE_SWAP this call (e.g.
+    // an undersized inline deadline left game-batched packets pending), still
+    // bump the host swap counter so the UI present + swap stats stay live.
+    // Skip when the in-stream PM4_XE_SWAP already recorded this frontbuffer
+    // (avoids double-counting). This path does NOT raise a CP interrupt.
     if frontbuffer_addr != 0 && width > 0 && height > 0 {
-        state.gpu.notify_xe_swap(frontbuffer_addr, width, height);
+        let already_swapped = state
+            .gpu
+            .as_inline_mut()
+            .map(|g| g.last_swap.map(|s| s.frontbuffer_phys) == Some(frontbuffer_addr))
+            .unwrap_or(false);
+        if !already_swapped {
+            state.gpu.notify_xe_swap(frontbuffer_addr, width, height);
+        }
     }
 
     // The remaining vd_swap work (UI publish: shader blobs, constants,