# 2.AV static findings (canary runtime trace BLOCKED by wine GPU-init stall) ## Object model (ours == canary, identical guest XEX) - Publisher singleton (ours runtime 0xbc58c910), vtable 0x820a183c, built by GetInstance sub_8216ea68, called UNCONDITIONALLY from image entry_point sub_824ab748 @0x824ab8dc. Stored at global 0x828a865c (refcounted; teardown sub_8216f170). - field8 = publisher[+8] (ours runtime 0xbd024a80), built by sub_82173990 (derived) -> base ctor sub_82173360. Base ctor: vtable@+0, CRITICAL_SECTION@+16 (RtlInitializeCSAndSpinCount @0x821733a0), then ZERO-INITS +44 (stw r29=0, 44(r30) @0x821733a4) and +48,+52,... => field8+44 is a NULL-initialized observer/next pointer (NOT a CS lock word; the CS is +16..+44). - Notify/publish method = publisher vtable+0x1C = 0x821753c8: lwz r11,8(r3) ; field8 lwz r11,44(r11) ; observer = field8+44 cmplwi; beqlr ; if NULL -> silent return lwz r3,0(r11); lwz r11,0(r3); lwz r11,48(r11); bctr ; dispatch observer.vtable[+0x30] (sibling notify at vtable+0x14=0x82175350 same shape via vtable+0x2c) ## opt_callback / ISR chain (confirmed by 2.AT deref + this static) - VSync ISR sub_824be9a0(r3=mode,r4=user_data): r3==0 (60Hz VSync): frame bookkeeping, then @0x824bea80 r11=[user_data+15144]=opt_callback; if !=0 -> bctrl @0x824beaa8 (lr=0x824beaac seen in traces). r3==1 (other src): callback [user_data+20] if [user_data+16]!=0. - opt_callback (+15144) = 0x822f2248, installed by sub_824c1920 (`stw r4,15144(r3)`), called from registrar sub_822f1f20 @0x822f1f70 (r3=user_data, r4=0x822f2248). sub_822f1f20 reached from VSync main loop sub_822f1aa8 @0x822f1f04. - 0x822f2248 -> virtual dispatch -> publisher.vtable[+0x1C] = 0x821753c8 (the notify method above). ## ours runtime (2.AT): field8+44 == 0 at every dispatch => beqlr, never signals 0x10e8. ## opt_callback fires only 67x total, EARLY boot (cycles 312K-7.3M), tids 7(55x)+1(12x); NOT 60Hz. ## tid=13 reconciliation (Task C) - CURRENT exit-state (this run, 2.AP, 2.AQ): tid=13 = EXITED CLEAN (pc=lr=0xbcbcbcbc sentinel), NOT in wedge_map. 2.V clean-exit HOLDS; tid=13 did NOT regress. - sub_821CB030 (2.AT-claimed tid=13 wait site) = generic string/path utility, 6 callers, NOT a wait/wedge primitive. No current thread parked there. - => 2.AT's "R1 downstream of wedged tid=13" premise is NOT supported by current data. ## Registrar that would write field8+44: NOT FOUND in ours run (only zero-init + prior CS tenant). ## No static stw to +44 in notify region 0x82173000-0x82176000 except the zero-init. ## DECISIVE NEW FINDING (Task A/C): field8+44 observer is NEVER populated in EITHER engine - Whole-image search for the subscribe pattern `lwz R,8(obj); stw delegate,44(R)` -> only 2 hits: 0x821916dc: `li r11,3; stw r11,44(r3)` (immediate flag, unrelated class) 0x8269fa70: `li r10,1; stw r10,44(r11)` (immediate flag, unrelated class, sub_8269F9F8) NEITHER writes a heap delegate pointer to the publisher's field8+44. - => No guest code registers an observer on the publisher's field8+44. Since ours==canary guest code, canary ALSO leaves field8+44 NULL. The +44 notify-dispatch is a STRUCTURAL DEAD-END in this title, not a producer ours fails to run. - => Force-installing a delegate at +44 (2.AT/2.AR R1 "force-install") would be a pure crowbar with NO canary basis. R1 is NOT a missing +44 registrar. ## Implication: the real 0x10e8 signaller is a DIFFERENT path - VSync ISR sub_824be9a0 has TWO callbacks: r3==0 -> opt_callback(+15144) -> dead-end +44 notify; r3==1 -> [user_data+10772]->[+16]/[+20] graphics-interrupt sub-callback (set by guest gfx driver via the +10768/+10772 alloc in sub_824bfee0). The r3==1 path (or a host-direct KeSetEvent on the swap event) is the likely 0x10e8 producer — NOT the opt_callback +44 chain. - ours opt_callback fires only 67x EARLY (cycles 312K-7.3M), NOT 60Hz. Canary delivers 60Hz (tid=2 NtSetEvent 4660x). The divergence is INTERRUPT-DELIVERY CADENCE (ours stops pumping the ISR after boot) + which ISR sub-path/event actually drives 0x10e8 — not the +44 observer. ## CANARY RUNTIME TRACE: ATTEMPTED, BLOCKED - build-cross Windows xenia_canary.exe (has audit_61/68 cvars) run under wine stalls right after config dump, never mounts ISO (GPU/window init hang in this wine prefix, headless and non-headless). Native Linux Debug binary lacks audit cvars. Could not capture canary field8+44 at runtime. Config restored to defaults; processes killed.