fabi/xenia-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4926c73f40b2fa574f9bb6aca837e543218f506
xenia-rs/audit-runs/iterate-2AV-tid13-registrar/findings-static.md
MechaCat02 ef93a4fa14 handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes 
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO):
- xenia-kernel/exports.rs: nt_create_event manual_reset polarity +
  related event wiring
- xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity

Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the
iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps
(.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as
regenerable local artifacts — see memory + HANDOFF for the running findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 07:19:08 +02:00

66 lines
4.4 KiB
Markdown
Raw Blame History

# 2.AV static findings (canary runtime trace BLOCKED by wine GPU-init stall)
## Object model (ours == canary, identical guest XEX)
- Publisher singleton (ours runtime 0xbc58c910), vtable 0x820a183c, built by GetInstance
sub_8216ea68, called UNCONDITIONALLY from image entry_point sub_824ab748 @0x824ab8dc.
Stored at global 0x828a865c (refcounted; teardown sub_8216f170).
- field8 = publisher[+8] (ours runtime 0xbd024a80), built by sub_82173990 (derived) ->
base ctor sub_82173360. Base ctor: vtable@+0, CRITICAL_SECTION@+16 (RtlInitializeCSAndSpinCount
@0x821733a0), then ZERO-INITS +44 (stw r29=0, 44(r30) @0x821733a4) and +48,+52,...
=> field8+44 is a NULL-initialized observer/next pointer (NOT a CS lock word; the CS is +16..+44).
- Notify/publish method = publisher vtable+0x1C = 0x821753c8:
lwz r11,8(r3) ; field8
lwz r11,44(r11) ; observer = field8+44
cmplwi; beqlr ; if NULL -> silent return
lwz r3,0(r11); lwz r11,0(r3); lwz r11,48(r11); bctr ; dispatch observer.vtable[+0x30]
(sibling notify at vtable+0x14=0x82175350 same shape via vtable+0x2c)
## opt_callback / ISR chain (confirmed by 2.AT deref + this static)
- VSync ISR sub_824be9a0(r3=mode,r4=user_data):
r3==0 (60Hz VSync): frame bookkeeping, then @0x824bea80 r11=[user_data+15144]=opt_callback;
if !=0 -> bctrl @0x824beaa8 (lr=0x824beaac seen in traces).
r3==1 (other src): callback [user_data+20] if [user_data+16]!=0.
- opt_callback (+15144) = 0x822f2248, installed by sub_824c1920 (`stw r4,15144(r3)`),
called from registrar sub_822f1f20 @0x822f1f70 (r3=user_data, r4=0x822f2248).
sub_822f1f20 reached from VSync main loop sub_822f1aa8 @0x822f1f04.
- 0x822f2248 -> virtual dispatch -> publisher.vtable[+0x1C] = 0x821753c8 (the notify method above).
## ours runtime (2.AT): field8+44 == 0 at every dispatch => beqlr, never signals 0x10e8.
## opt_callback fires only 67x total, EARLY boot (cycles 312K-7.3M), tids 7(55x)+1(12x); NOT 60Hz.
## tid=13 reconciliation (Task C)
- CURRENT exit-state (this run, 2.AP, 2.AQ): tid=13 = EXITED CLEAN (pc=lr=0xbcbcbcbc sentinel),
NOT in wedge_map. 2.V clean-exit HOLDS; tid=13 did NOT regress.
- sub_821CB030 (2.AT-claimed tid=13 wait site) = generic string/path utility, 6 callers,
NOT a wait/wedge primitive. No current thread parked there.
- => 2.AT's "R1 downstream of wedged tid=13" premise is NOT supported by current data.
## Registrar that would write field8+44: NOT FOUND in ours run (only zero-init + prior CS tenant).
## No static stw to +44 in notify region 0x82173000-0x82176000 except the zero-init.
## DECISIVE NEW FINDING (Task A/C): field8+44 observer is NEVER populated in EITHER engine
- Whole-image search for the subscribe pattern `lwz R,8(obj); stw delegate,44(R)` -> only 2 hits:
0x821916dc: `li r11,3; stw r11,44(r3)` (immediate flag, unrelated class)
0x8269fa70: `li r10,1; stw r10,44(r11)` (immediate flag, unrelated class, sub_8269F9F8)
NEITHER writes a heap delegate pointer to the publisher's field8+44.
- => No guest code registers an observer on the publisher's field8+44. Since ours==canary guest
code, canary ALSO leaves field8+44 NULL. The +44 notify-dispatch is a STRUCTURAL DEAD-END in
this title, not a producer ours fails to run.
- => Force-installing a delegate at +44 (2.AT/2.AR R1 "force-install") would be a pure crowbar
with NO canary basis. R1 is NOT a missing +44 registrar.
## Implication: the real 0x10e8 signaller is a DIFFERENT path
- VSync ISR sub_824be9a0 has TWO callbacks: r3==0 -> opt_callback(+15144) -> dead-end +44 notify;
r3==1 -> [user_data+10772]->[+16]/[+20] graphics-interrupt sub-callback (set by guest gfx driver
via the +10768/+10772 alloc in sub_824bfee0). The r3==1 path (or a host-direct KeSetEvent on the
swap event) is the likely 0x10e8 producer — NOT the opt_callback +44 chain.
- ours opt_callback fires only 67x EARLY (cycles 312K-7.3M), NOT 60Hz. Canary delivers 60Hz
(tid=2 NtSetEvent 4660x). The divergence is INTERRUPT-DELIVERY CADENCE (ours stops pumping the
ISR after boot) + which ISR sub-path/event actually drives 0x10e8 — not the +44 observer.
## CANARY RUNTIME TRACE: ATTEMPTED, BLOCKED
- build-cross Windows xenia_canary.exe (has audit_61/68 cvars) run under wine stalls right after
config dump, never mounts ISO (GPU/window init hang in this wine prefix, headless and non-headless).
Native Linux Debug binary lacks audit cvars. Could not capture canary field8+44 at runtime.
Config restored to defaults; processes killed.
Reference in New Issue View Git Blame Copy Permalink